Edit tour

Windows Analysis Report
urS3jQ9qb5.jar

Overview

General Information

Sample name:	urS3jQ9qb5.jar renamed because original name is a hash value
Original sample name:	0781770e55d04cd363e0da0b168cb8550db96faf6790fd7a17b216d80b0bff43.jar
Analysis ID:	1577278
MD5:	c61d3cf6584e6b4c19c092f55cd3c37c
SHA1:	80f4680dcbaedb8b981e27b552c458cb8baa3d13
SHA256:	0781770e55d04cd363e0da0b168cb8550db96faf6790fd7a17b216d80b0bff43
Tags:	canstealer-comjaruser-JAMESWT_MHT
Infos:

Detection

Can Stealer

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Yara detected Can Stealer

AI detected suspicious sample

Exploit detected, runtime environment dropped PE file

Exploit detected, runtime environment starts unknown processes

Maps a DLL or memory area into another process

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Sigma detected: Suspicious Processes Spawned by Java.EXE

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Browser Execution In Headless Mode

Sigma detected: Browser Started with Remote Debugging

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

cmd.exe (PID: 5260 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar"" >> C:\cmdlinestart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

java.exe (PID: 7076 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

icacls.exe (PID: 2420 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5008 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 5368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1824 cmdline: taskkill /F /IM msedge.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 5936 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 6432 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=2220 --field-trial-handle=2200,i,14542655992206268435,5345874362756647771,262144 --disable-features=PaintHolding /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

taskkill.exe (PID: 8840 cmdline: taskkill /F /IM msedge.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8976 cmdline: taskkill /F /IM chrome.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 9036 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=2116 --field-trial-handle=2024,i,13611784778153370748,11681789006057499304,262144 --disable-features=PaintHolding /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

taskkill.exe (PID: 7700 cmdline: taskkill /F /IM brave.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7388 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 8116 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7472 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7300 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7492 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7620 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7356 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 8920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7324 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 4032 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 876 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 3328 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7852 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 3300 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 5008 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7400 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 4976 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4368 cmdline: wmic path win32_VideoController get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5340 cmdline: wmic cpu get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7952 cmdline: wmic os get Caption /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 4084 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --noerrdialogs --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 1976 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=2160 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8284 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=6580 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8320 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=6960 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

identity_helper.exe (PID: 8436 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=7076 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

identity_helper.exe (PID: 8448 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=7076 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CanStealer	Yara detected Can Stealer	Joe Security
00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CanStealer	Yara detected Can Stealer	Joe Security
00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CanStealer	Yara detected Can Stealer	Joe Security
00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CanStealer	Yara detected Can Stealer	Joe Security
Process Memory Space: java.exe PID: 7076	JoeSecurity_CanStealer	Yara detected Can Stealer	Joe Security
Process Memory Space: java.exe PID: 7076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default, CommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, NewProcessName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, OriginalFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 7076, ParentProcessName: java.exe, ProcessCommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default, ProcessId: 5936, ProcessName: msedge.exe

Sigma detected: Suspicious Processes Spawned by Java.EXE

Source: Process started

Author: Andreas Hunkeler (@Karneades), Florian Roth: Data: Command: wmic path win32_VideoController get name, CommandLine: wmic path win32_VideoController get name, CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 7076, ParentProcessName: java.exe, ProcessCommandLine: wmic path win32_VideoController get name, ProcessId: 4368, ProcessName: WMIC.exe

Sigma detected: Browser Execution In Headless Mode

Source: Process started

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default, CommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, NewProcessName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, OriginalFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 7076, ParentProcessName: java.exe, ProcessCommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default, ProcessId: 5936, ProcessName: msedge.exe

Sigma detected: Suspicious Execution of Hostname

Source: Process started

Author: frack113: Data: Command: hostname, CommandLine: hostname, CommandLine|base64offset|contains: -, Image: C:\Windows\SysWOW64\HOSTNAME.EXE, NewProcessName: C:\Windows\SysWOW64\HOSTNAME.EXE, OriginalFileName: C:\Windows\SysWOW64\HOSTNAME.EXE, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 7076, ParentProcessName: java.exe, ProcessCommandLine: hostname, ProcessId: 7388, ProcessName: HOSTNAME.EXE

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://canstealer.com/kaancevik63	Avira URL Cloud: Label: malware
Source: https://canstealer.com/	Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:50018 version: TLS 1.2

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-1820491375\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-1820491375\jna5340335501256029183.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\tasklist.exe

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.143

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: canstealer.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 905sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: java.exe, 00000002.00000002.2638926084.000000000A5F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt3
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000003.2434809680.0000000016D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACer
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.2642541893.000000001607F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435417835.000000001607F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2644197266.0000000016DC8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2434809680.0000000016D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.2642541893.000000001607F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435417835.000000001607F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/B
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.2638926084.000000000AE6F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.2638926084.000000000AB1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/servers
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/serversC3
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/serversKu
Source: java.exe, 00000002.00000002.2617226534.000000000535E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: java.exe, 00000002.00000002.2617226534.000000000535E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk/sendMessage
Source: java.exe, 00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/botss
Source: java.exe, 00000002.00000002.2617226534.000000000500F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canstealer.com/
Source: java.exe, 00000002.00000002.2617226534.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canstealer.com/kaancevik63
Source: java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: java.exe, 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/.ldb
Source: java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/0.png
Source: java.exe, 00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/0.pngw
Source: java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/TooTallNate/Java-WebSocket/wiki/Lost-connection-detection
Source: java.exe, 00000002.00000002.2641835595.00000000156E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/TooTallNate/Java-WebSocket/wiki/Lost-connection-detection/lang/
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste-pgpj.onrender.com/?p=
Source: java.exe, 00000002.00000003.2437014648.0000000015F3F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642541893.0000000015EDB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435417835.0000000015F1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste-pgpj.onrender.com/?p=ava/l
Source: java.exe, 00000002.00000002.2617226534.0000000005199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: java.exe, 00000002.00000002.2617226534.0000000005199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/sonriseclient/kaancevik6-startup-6107/main/Java.jar
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2393293665.000000000B000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFE7000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2393293665.000000000B000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: java.exe, 00000002.00000003.2393293665.000000000B000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu3
Source: java.exe, 00000002.00000003.2274039052.0000000015DB5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html
Source: java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#ignoredBindings
Source: java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#loggerNameMismatch
Source: java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#multiple_bindings
Source: java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A5F3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#noProviders
Source: java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#noProvidersionL
Source: java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#replay
Source: java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#substituteLogger
Source: java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#substituteLogger/M
Source: java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#unsuccessfulInit
Source: java.exe, 00000002.00000003.2274039052.0000000015DB5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#unsuccessfulInit;
Source: java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#unsuccessfulInitG
Source: java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.html#version_mismatch
Source: java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.slf4j.org/codes.htmlU

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:50018 version: TLS 1.2

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B085CF	2_3_18B085CF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B085CF	2_3_18B085CF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0A749	2_3_18B0A749
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0A749	2_3_18B0A749
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B085CF	2_3_18B085CF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B085CF	2_3_18B085CF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B1070D	2_3_18B1070D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0A749	2_3_18B0A749
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0A749	2_3_18B0A749

Source: classification engine

Classification label: mal96.troj.spyw.expl.evad.winJAR@167/111@25/14

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8920:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "brave.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: java.exe, 00000002.00000002.2646914740.0000000065BC4000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: java.exe, 00000002.00000003.2362980137.0000000017106000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: java.exe	String found in binary or memory: 0$h`[Lsun/launcher/LauncherHelper;
Source: java.exe	String found in binary or memory: Q()[Lsun/launcher/LauncherHelper;'
Source: java.exe	String found in binary or memory: Lsun/launcher/LauncherHelper;
Source: java.exe	String found in binary or memory: JLjava/lang/Enum<Lsun/launcher/LauncherHelper;>;
Source: java.exe	String found in binary or memory: Bsun/launcher/LauncherHelper$ResourceBundleHolder&
Source: java.exe	String found in binary or memory: Hsun/launcher/LauncherHelper$SizePrefix
Source: java.exe	String found in binary or memory: $sun/launcher/LauncherHelper$StdArg
Source: java.exe	String found in binary or memory: hq(Ljava/util/List<Lsun/launcher/LauncherHelper$StdArg;>;)[Ljava/lang/String;
Source: java.exe	String found in binary or memory: (Ljava/lang/String;)Lsun/launcher/LauncherHelper;
Source: java.exe	String found in binary or memory: N.in-addr.arpa
Source: java.exe	String found in binary or memory: sun/launcher/

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=2220 --field-trial-handle=2200,i,14542655992206268435,5345874362756647771,262144 --disable-features=PaintHolding /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --noerrdialogs --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=2160 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=6580 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=6960 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=7076 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=7076 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=2116 --field-trial-handle=2024,i,13611784778153370748,11681789006057499304,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=2220 --field-trial-handle=2200,i,14542655992206268435,5345874362756647771,262144 --disable-features=PaintHolding /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=2160 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=6580 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=6960 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=7076 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=7076 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=2116 --field-trial-handle=2024,i,13611784778153370748,11681789006057499304,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: urS3jQ9qb5.jar

Static file information: File size 14298253 > 1048576

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16952096 push ss; ret	2_3_169520A4
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16952AB7 push ss; retf 0000h	2_3_16952AC4
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_1694EEA4 push ss; ret	2_3_1694EEDC
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_1694CFA2 push ss; iretd	2_3_1694D008
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_1694CEE2 push eax; iretd	2_3_1694CF45
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_1694EF39 push ss; ret	2_3_1694EEDC
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_1694CB2E pushad ; retf	2_3_1694CB3D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_1694CE55 push eax; iretd	2_3_1694CED5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15F2C284 pushad ; ret	2_3_15F2C285
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_159ACB58 pushad ; retf	2_3_159ACB59
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15F1417A push ebx; ret	2_3_15F1417B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0D105 push 00000010h; ret	2_3_18B0D10C
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0D105 push 00000010h; ret	2_3_18B0D10C
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0D173 push 00000010h; ret	2_3_18B0D188
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0D173 push 00000010h; ret	2_3_18B0D188
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0D105 push 00000010h; ret	2_3_18B0D10C
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0D105 push 00000010h; ret	2_3_18B0D10C
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0D173 push 00000010h; ret	2_3_18B0D188
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_18B0D173 push 00000010h; ret	2_3_18B0D188
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_17C6E10C push dword ptr [eax]; iretd	2_3_17C6E121
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_17C7CB58 pushad ; retf	2_3_17C7CB59
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_17C68063 push dword ptr [eax]; iretd	2_3_17C68079

Persistence and Installation Behavior

Exploit detected, runtime environment dropped PE file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: jna5340335501256029183.dll.2.dr

Jump to dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\jna-1820491375\jna5340335501256029183.dll			Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-2b1cbfdc-5534-4adc-ad94-dd4ff06aa3aa-sqlitejdbc.dll			Jump to dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jna-1820491375\jna5340335501256029183.dll			Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-2b1cbfdc-5534-4adc-ad94-dd4ff06aa3aa-sqlitejdbc.dll			Jump to dropped file

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-1820491375\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-1820491375\jna5340335501256029183.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: java.exe, 00000002.00000003.2161647001.0000000015465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.2161647001.0000000015465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.2643684011.00000000168E0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2436775896.0000000016949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4qemultByInt&
Source: java.exe, 00000002.00000003.2161647001.0000000015465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000003.2161647001.0000000015465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7076 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jartracer.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\edgecookies.txt VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Can Stealer

Source: Yara match	File source: 00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 7076, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: java.exe PID: 7076, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default

Yara detected Can Stealer

Source: Yara match	File source: 00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 7076, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Services File Permissions Weakness	111 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Exploitation for Client Execution	Logon Script (Windows)	1 DLL Side-Loading	11 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	4 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
urS3jQ9qb5.jar	3%	Virustotal		Browse
urS3jQ9qb5.jar	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\jna-1820491375\jna5340335501256029183.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-2b1cbfdc-5534-4adc-ad94-dd4ff06aa3aa-sqlitejdbc.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://repository.luxtrust.lu3	0%	Avira URL Cloud	safe
http://www.chambersign.org	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl	0%	Avira URL Cloud	safe
https://paste-pgpj.onrender.com/?p=ava/l	0%	Avira URL Cloud	safe
https://canstealer.com/kaancevik63	100%	Avira URL Cloud	malware
http://cps.chambersign.org/cps/chambersroot.html	0%	Avira URL Cloud	safe
https://repository.luxtrust.lu	0%	Avira URL Cloud	safe
https://canstealer.com/	100%	Avira URL Cloud	malware
https://paste-pgpj.onrender.com/?p=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
canstealer.com	104.21.76.84	true	false	high
plus.l.google.com	142.250.181.46	true	false	high
play.google.com	142.250.181.110	true	false	high
raw.githubusercontent.com	185.199.110.133	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
www.google.com	142.250.181.132	true	false	high
api.telegram.org	149.154.167.220	true	false	high
googlehosted.l.googleusercontent.com	142.250.181.65	true	false	high
api.gofile.io	45.112.123.126	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/async/newtab_promos	false	high
https://play.google.com/log?format=json&hasfast=true	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.slf4j.org/codes.html#version_mismatch	java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	java.exe, 00000002.00000002.2617226534.000000000535E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/embed/avatars/0.pngw	java.exe, 00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu3	java.exe, 00000002.00000003.2393293665.000000000B000000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.slf4j.org/codes.html#multiple_bindings	java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFE7000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2393293665.000000000B000000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/avatars/.ldb	java.exe, 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html#unsuccessfulInit	java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/TooTallNate/Java-WebSocket/wiki/Lost-connection-detection	java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/botss	java.exe, 00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.htmlU	java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/sonriseclient/kaancevik6-startup-6107/main/Java.jar	java.exe, 00000002.00000002.2617226534.0000000005199000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2393293665.000000000B000000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/B	java.exe, 00000002.00000002.2642541893.000000001607F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435417835.000000001607F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html#unsuccessfulInitG	java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/serversKu	java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html#unsuccessfulInit;	java.exe, 00000002.00000003.2274039052.0000000015DB5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	java.exe, 00000002.00000002.2638926084.000000000AB1C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk/sendMessage	java.exe, 00000002.00000002.2617226534.000000000535E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/TooTallNate/Java-WebSocket/wiki/Lost-connection-detection/lang/	java.exe, 00000002.00000002.2641835595.00000000156E1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paste-pgpj.onrender.com/?p=ava/l	java.exe, 00000002.00000003.2437014648.0000000015F3F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642541893.0000000015EDB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435417835.0000000015F1A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste-pgpj.onrender.com/?p=	java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.gofile.io/servers	java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bugreport.sun.com/bugreport/	java.exe, 00000002.00000002.2638926084.000000000A5F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html#replay	java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://null.oracle.com/	java.exe, 00000002.00000002.2642541893.000000001607F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435417835.000000001607F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2644197266.0000000016DC8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2434809680.0000000016D81000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html#substituteLogger	java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html#loggerNameMismatch	java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.slf4j.org/codes.html#noProviders	java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A5F3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A610000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html#ignoredBindings	java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canstealer.com/	java.exe, 00000002.00000002.2617226534.000000000500F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com	java.exe, 00000002.00000002.2617226534.0000000005199000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html#noProvidersionL	java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/embed/avatars/0.png	java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435946154.00000000169E5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2435636231.0000000016987000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2643684011.00000000169AC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadis.bm	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000AFA5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2638926084.000000000A7C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.gofile.io/serversC3	java.exe, 00000002.00000002.2638926084.000000000AC06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canstealer.com/kaancevik63	java.exe, 00000002.00000002.2617226534.000000000546E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.slf4j.org/codes.html#substituteLogger/M	java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273557661.00000000159D8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2273763754.00000000159E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/avatars/	java.exe, 00000002.00000003.2383624447.00000000159A8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642124750.000000001599E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.slf4j.org/codes.html	java.exe, 00000002.00000003.2274039052.0000000015DB5000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2642541893.0000000015CD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl	java.exe, 00000002.00000002.2638926084.000000000A9B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.181.110	play.google.com	United States	15169	GOOGLEUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.76.84	canstealer.com	United States	13335	CLOUDFLARENETUS	false
142.250.181.46	plus.l.google.com	United States	15169	GOOGLEUS	false
142.250.181.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
185.199.110.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false

Private

IP
192.168.2.16
192.168.2.6
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577278
Start date and time:	2024-12-18 10:57:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	69
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	urS3jQ9qb5.jar renamed because original name is a hash value
Original Sample Name:	0781770e55d04cd363e0da0b168cb8550db96faf6790fd7a17b216d80b0bff43.jar
Detection:	MAL
Classification:	mal96.troj.spyw.expl.evad.winJAR@167/111@25/14
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .jar

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 204.79.197.203, 13.107.21.239, 204.79.197.239, 172.217.19.206, 13.107.6.158, 172.165.69.228, 23.32.239.18, 23.32.239.56, 2.16.158.176, 2.16.158.169, 2.16.158.187, 2.16.158.96, 2.16.158.83, 2.16.158.170, 2.16.158.186, 2.16.158.91, 2.16.158.179, 142.250.181.99, 64.233.164.84, 172.217.17.46, 192.229.221.95, 142.250.181.74, 142.250.181.10, 172.217.17.74, 172.217.19.234, 142.250.181.106, 142.250.181.138, 172.217.17.42, 172.217.19.10, 172.217.19.202, 142.250.181.42, 199.232.214.172, 172.217.17.67, 172.217.19.170, 172.217.21.42, 216.58.208.234, 172.217.17.35, 94.245.104.56, 13.107.246.63, 23.218.208.109, 4.175.87.197
Excluded domains from analysis (whitelisted): nav-edge.smartscreen.microsoft.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, prod-agic-us-2.uksouth.cloudapp.azure.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, redirector.gvt1.com, config-edge-skype.l-0007.l-msedge.net, update.googleapis.com, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, optimizationguide-pa.googleapis.com, www.bing.com, clients1.google.com, edge-microsoft-com.dual-a-0036.a-msedge.net, client.wns.windows.com, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, bzib.nelreports.net.akamaized.net, accounts.google.com, otelrules.azureedge.net, api.edgeoffer.microsoft.com, a-0003.a-msedge.net, ctldl.windowsupdate.com, ogads-pa.googleapis.com, www-msn-com.a-0003.a-msedge.net, b-0005.b-msedge.net, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.traffi
Execution Graph export aborted for target java.exe, PID 7076 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Reached maximum number of file to list during submission archive extraction
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:58:43	API Interceptor	3x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse
	https://garfieldthecat.tech/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse
	CapCut_12.0.4_Installer.exe	Get hash	malicious	LummaC Stealer	Browse
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse
149.154.167.220	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FileScanner.exe	Get hash	malicious	Unknown	Browse
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
104.21.76.84	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse
104.21.76.84	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse
185.199.110.133	sys_upd.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	162.159.61.3
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	CapCut_12.0.4_Installer.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
	CapCut_12.0.4_Installer.exe	Get hash	malicious	LummaC Stealer	Browse	162.159.61.3
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	172.64.41.3
canstealer.com	stealer.jar	Get hash	malicious	Can Stealer	Browse	172.67.191.110
	stealer.jar	Get hash	malicious	Can Stealer	Browse	172.67.191.110
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	104.21.76.84
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	104.21.76.84
raw.githubusercontent.com	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	185.199.108.133
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	185.199.110.133
	rbqHSouklL.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	stealer.jar	Get hash	malicious	Can Stealer	Browse	185.199.111.133
	stealer.jar	Get hash	malicious	Can Stealer	Browse	185.199.109.133
	mjjt5kTb4o.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	185.199.108.133
	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	185.199.108.133
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	185.199.108.133
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	185.199.109.133
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	94.245.104.56
	stealer.jar	Get hash	malicious	Can Stealer	Browse	94.245.104.56
	stealer.jar	Get hash	malicious	Can Stealer	Browse	94.245.104.56
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	69633f.msi	Get hash	malicious	Vidar	Browse	94.245.104.56
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	94.245.104.56

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FileScanner.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220
	Setup.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://2024sharepointonline.z28.web.core.windows.net/	Get hash	malicious	Unknown	Browse	104.16.20.118
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	172.64.41.3
	http://efaktura.dhlecommerce.pl	Get hash	malicious	Unknown	Browse	104.18.86.42
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	104.16.123.96
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	jhsdfggga13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
CLOUDFLARENETUS	https://2024sharepointonline.z28.web.core.windows.net/	Get hash	malicious	Unknown	Browse	104.16.20.118
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	172.64.41.3
	http://efaktura.dhlecommerce.pl	Get hash	malicious	Unknown	Browse	104.18.86.42
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	104.16.123.96
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	jhsdfggga13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	20.198.119.143
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	20.198.119.143
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	20.198.119.143
	jhsdfggga13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	20.198.119.143
	Garsdgwqa13de.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	20.198.119.143
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	20.198.119.143
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	20.198.119.143
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	20.198.119.143
	credit.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS	Browse	20.198.119.143
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	20.198.119.143

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\jna-1820491375\jna5340335501256029183.dll	stealer.jar	Get hash	malicious	Can Stealer	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse
	soinjector.exe	Get hash	malicious	Unknown	Browse
	https://www.eclipse.org/downloads/download.php?file=/oomph/epp/2024-03/R/eclipse-inst-jre-win64.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-2b1cbfdc-5534-4adc-ad94-dd4ff06aa3aa-sqlitejdbc.dll	stealer.jar	Get hash	malicious	Can Stealer	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse
	soinjector.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.873140679513134
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4USAJ:oJ5bG
MD5:	1713B874A9C391103FA64F92DA39F4D7
SHA1:	6A71209E9211C5321DB879BBAA70E6C79746A0D7
SHA-256:	D65EF6AEB70875CD5DE6182E9E5CED91141BE49F291ED6731BCC78A8310EE1C8
SHA-512:	09122CE09A644786794220D53C5F0A75BB3AB0E11558B71CC2BA240E7F2705379B3591D1218FCE17D431937382DB8F5242404BCD45DC18B6AFCE493984DEE94D
Malicious:	false
Preview:	C:\Program Files (x86)\Java\jre-1.8..1734515894986..

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44922
Entropy (8bit):	6.094587040760675
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWJsi1zNt7crNknY1+p/AQKJDSgzMMd6qD47u3+CioC:+/Ps+wsI7yniE0KtSmd6qE7lFoC
MD5:	7F31E7748F8BCFE03D4971969CDD0CDC
SHA1:	D7873EA7F5F66FD1EFCD55D65524CDD8E13EB248
SHA-256:	BFF046549666904F47D84083753FFB19C41BBC270B8A1F0125A9547CAEF0F20C
SHA-512:	DB18CA3575F09B256F8761BE14F29A3C9A863B350664E5ECFDC278B88D7394FAC5601BF825C3F83C3D5676AC4494EC11AA7C68AEA11F22680E1A77C5EEDD7B03
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.972115967203688
Encrypted:	false
SSDEEP:	3:6JfRpDqAA/BLztvJfb8zsJOyExxNVEBAX2UApREq9vOdJfMPYrSLPOGLKIJfO+JK:4RpGAAJLLb8oxi2BAmU8E6mP6YGLPp+V
MD5:	15B6EAB37613683FC11BD46042B67007
SHA1:	F65B901C4FCB694B038DD94FCAD02A12CA62438F
SHA-256:	21A52D1E1611076F6869F99D04EE1D7193B3CF49560FC25DCF6A0427AAD15089
SHA-512:	6FB40D8C5D56E2ABAD9F7F5003F90A3972CA4A2BECC2D7B14506A337104843397DEDC3A224A27ED3E3080BC84D726E6471C3934AB6538AE4B8EAAFE92AC5C704
Malicious:	false
Preview:	SLF4J(W): No SLF4J providers were found...SLF4J(W): Defaulting to no-operation (NOP) logger implementation..SLF4J(W): See https://www.slf4j.org/codes.html#noProviders for further details...

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	165
Entropy (8bit):	4.823327254536806
Encrypted:	false
SSDEEP:	3:Vwp+EHwwBHsLpYJWriFGHTex24b7prwGWjLwWkzXFETH1u4:VwQEH5BHsL2YriFGHTLmrwGAwWeXFELN
MD5:	BA67E2CA7F04CDB1A04EB058E8FEF633
SHA1:	B690888284EE319D87E0A55AA914D3005CA8AA0F
SHA-256:	8BDFE3D214CD16C6884C386574D5D76FF9D6E23A7B7EE19949B4962FC67A732D
SHA-512:	A4F9F9317B6E13615D7D2D82881229F59AEE5EF2E4E21AA84A68503FB9CB3AA591FB361CA251D577867CE6FE63C8AB4C0F9BCB4A18837AEEF0631433BB701AAB
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",[],[],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:suggesteventid":5770973220762489726,"google:suggesttype":[],"google:verbatimrelevance":851}]

File type:	Java archive data (JAR)
Entropy (8bit):	7.9754184157537145
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	urS3jQ9qb5.jar
File size:	14'298'253 bytes
MD5:	c61d3cf6584e6b4c19c092f55cd3c37c
SHA1:	80f4680dcbaedb8b981e27b552c458cb8baa3d13
SHA256:	0781770e55d04cd363e0da0b168cb8550db96faf6790fd7a17b216d80b0bff43
SHA512:	1d93eb4e3cfba52b67223263b8f531e057589e8627913b66c5e634f6137b1d453fd856ef6c9ed799a06a245b37eb982b7f0393b314519374d0fc3548a96aaa16
SSDEEP:	393216:CiFNtcj2Rqf0knwZbkytGTI4PE/GoJTEqUkIT6YvYTYxgs9:Ci+jkqf060o6KI4iJEqIvYTEj
TLSH:	60E61219BD8AC9AAFA9760B362C2C552E0361AEAC903D06F06E059C5DDF1E450353FFD
File Content Preview:	PK.........LrY............2...org/apache/commons/codec/language/bm/Rule$1.class/.....TmO.`.=W...l....S...(( :@e.N.1bP?..@M.6.F4..d........G......!..nI..g=......_...L.H.....:...+.]*.V....).jmT..]Y+)...>0.....,.....h.........uA.....`.j.0..M.,.......T\....7.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 10:58:19.299351931 CET	63684	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:19.299747944 CET	50712	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:19.437125921 CET	53	50712	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:22.795954943 CET	49457	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:22.796092987 CET	56235	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:23.338689089 CET	54972	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:23.338962078 CET	53431	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:23.476473093 CET	53	54972	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:23.477560997 CET	53	53431	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:24.106419086 CET	54357	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:24.107206106 CET	65181	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:24.107992887 CET	63356	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:24.108617067 CET	57542	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:24.243637085 CET	53	54357	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:24.244044065 CET	53	65181	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:24.244731903 CET	53	63356	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:24.245476007 CET	53	57542	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:24.262237072 CET	64818	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:24.262381077 CET	65183	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:24.399192095 CET	53	65183	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:24.400579929 CET	53	64818	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:28.969794989 CET	53	53062	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:28.989778996 CET	53	54529	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:30.811690092 CET	59829	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:30.811897039 CET	60096	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:30.949418068 CET	53	59829	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:30.949769020 CET	53	60096	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:31.715699911 CET	53	59217	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:34.293174028 CET	53	64492	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:34.850258112 CET	53	54138	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:38.027880907 CET	57675	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:38.028126001 CET	55974	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:38.160891056 CET	53	62254	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:38.164550066 CET	53	57675	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:38.167341948 CET	53	55974	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:38.185787916 CET	62246	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:38.323529959 CET	53	62246	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:39.074836969 CET	59335	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:39.074904919 CET	53304	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:39.211596012 CET	53	53304	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:39.211615086 CET	53	59335	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:40.646002054 CET	63932	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:40.789275885 CET	53	63932	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:49.254120111 CET	53	64779	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:50.178143978 CET	50967	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:50.501744986 CET	53	50967	1.1.1.1	192.168.2.6
Dec 18, 2024 10:58:58.752881050 CET	52796	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:58:58.890145063 CET	53	52796	1.1.1.1	192.168.2.6
Dec 18, 2024 10:59:08.179141045 CET	53	50503	1.1.1.1	192.168.2.6
Dec 18, 2024 10:59:23.114265919 CET	64291	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:59:23.251338005 CET	53	64291	1.1.1.1	192.168.2.6
Dec 18, 2024 10:59:28.918757915 CET	53	50031	1.1.1.1	192.168.2.6
Dec 18, 2024 10:59:30.501323938 CET	53	63866	1.1.1.1	192.168.2.6
Dec 18, 2024 10:59:43.698380947 CET	56178	53	192.168.2.6	1.1.1.1
Dec 18, 2024 10:59:43.835145950 CET	53	56178	1.1.1.1	192.168.2.6
Dec 18, 2024 11:00:01.166452885 CET	53	63946	1.1.1.1	192.168.2.6
Dec 18, 2024 11:00:16.207973003 CET	62901	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:00:16.344881058 CET	53	62901	1.1.1.1	192.168.2.6

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 10:58:19.436620951 CET	1.1.1.1	192.168.2.6	0x2912	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:19.437125921 CET	1.1.1.1	192.168.2.6	0xea49	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:19.940888882 CET	1.1.1.1	192.168.2.6	0x87	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:19.940888882 CET	1.1.1.1	192.168.2.6	0x87	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:19.946399927 CET	1.1.1.1	192.168.2.6	0xeea	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:20.768212080 CET	1.1.1.1	192.168.2.6	0x1c6c	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:20.769478083 CET	1.1.1.1	192.168.2.6	0xe80f	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:20.769478083 CET	1.1.1.1	192.168.2.6	0xe80f	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:22.932979107 CET	1.1.1.1	192.168.2.6	0xdb76	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:23.026529074 CET	1.1.1.1	192.168.2.6	0x7fba	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:23.476473093 CET	1.1.1.1	192.168.2.6	0x7d7b	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:23.476473093 CET	1.1.1.1	192.168.2.6	0x7d7b	No error (0)	googlehosted.l.googleusercontent.com		142.250.181.65	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:23.477560997 CET	1.1.1.1	192.168.2.6	0xbdaa	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:24.243637085 CET	1.1.1.1	192.168.2.6	0x21fd	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:24.243637085 CET	1.1.1.1	192.168.2.6	0x21fd	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:24.244044065 CET	1.1.1.1	192.168.2.6	0x1128	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 18, 2024 10:58:24.244731903 CET	1.1.1.1	192.168.2.6	0x7d57	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:24.244731903 CET	1.1.1.1	192.168.2.6	0x7d57	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:24.245476007 CET	1.1.1.1	192.168.2.6	0x4208	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 18, 2024 10:58:24.399192095 CET	1.1.1.1	192.168.2.6	0x82d0	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 18, 2024 10:58:24.400579929 CET	1.1.1.1	192.168.2.6	0xfa7f	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:24.400579929 CET	1.1.1.1	192.168.2.6	0xfa7f	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:30.949418068 CET	1.1.1.1	192.168.2.6	0x36b2	No error (0)	www.google.com		142.250.181.132	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:30.949769020 CET	1.1.1.1	192.168.2.6	0x3af1	No error (0)	www.google.com			65	IN (0x0001)	false
Dec 18, 2024 10:58:38.164550066 CET	1.1.1.1	192.168.2.6	0x73eb	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:38.164550066 CET	1.1.1.1	192.168.2.6	0x73eb	No error (0)	plus.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:38.167341948 CET	1.1.1.1	192.168.2.6	0x9426	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 10:58:38.323529959 CET	1.1.1.1	192.168.2.6	0x78da	No error (0)	api.gofile.io		45.112.123.126	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:39.211615086 CET	1.1.1.1	192.168.2.6	0x9d53	No error (0)	play.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:40.789275885 CET	1.1.1.1	192.168.2.6	0xecf1	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:50.501744986 CET	1.1.1.1	192.168.2.6	0xde2	No error (0)	canstealer.com		104.21.76.84	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:50.501744986 CET	1.1.1.1	192.168.2.6	0xde2	No error (0)	canstealer.com		172.67.191.110	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:58.890145063 CET	1.1.1.1	192.168.2.6	0x8a99	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:58.890145063 CET	1.1.1.1	192.168.2.6	0x8a99	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:58.890145063 CET	1.1.1.1	192.168.2.6	0x8a99	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:58:58.890145063 CET	1.1.1.1	192.168.2.6	0x8a99	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:59:23.251338005 CET	1.1.1.1	192.168.2.6	0xc740	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:59:23.251338005 CET	1.1.1.1	192.168.2.6	0xc740	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:59:23.251338005 CET	1.1.1.1	192.168.2.6	0xc740	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:59:23.251338005 CET	1.1.1.1	192.168.2.6	0xc740	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:59:43.835145950 CET	1.1.1.1	192.168.2.6	0x5ed3	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:59:43.835145950 CET	1.1.1.1	192.168.2.6	0x5ed3	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:59:43.835145950 CET	1.1.1.1	192.168.2.6	0x5ed3	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:59:43.835145950 CET	1.1.1.1	192.168.2.6	0x5ed3	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:00:16.344881058 CET	1.1.1.1	192.168.2.6	0xd372	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:00:16.344881058 CET	1.1.1.1	192.168.2.6	0xd372	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:00:16.344881058 CET	1.1.1.1	192.168.2.6	0xd372	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:00:16.344881058 CET	1.1.1.1	192.168.2.6	0xd372	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:16 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 77 54 50 61 4c 71 33 58 76 45 53 78 6e 4b 55 47 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 35 34 37 34 30 37 62 62 33 64 31 36 30 66 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: wTPaLq3XvESxnKUG.1Context: 8547407bb3d160ff
2024-12-18 09:58:16 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-12-18 09:58:16 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 77 54 50 61 4c 71 33 58 76 45 53 78 6e 4b 55 47 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 35 34 37 34 30 37 62 62 33 64 31 36 30 66 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 4c 35 72 65 4e 45 4c 48 77 54 6d 2b 42 31 4f 2b 6e 41 61 4e 75 35 49 74 5a 66 6f 4f 30 5a 68 46 7a 36 48 54 32 51 50 52 6b 5a 59 65 52 35 6e 41 66 6d 43 6f 46 62 34 36 46 50 49 72 73 76 30 64 5a 73 73 57 58 41 4b 76 43 33 6c 49 62 4c 39 79 73 34 39 31 37 6d 51 5a 71 56 59 37 70 6e 32 41 48 39 51 70 70 37 61 7a 6a 78 52 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: wTPaLq3XvESxnKUG.2Context: 8547407bb3d160ff<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcL5reNELHwTm+B1O+nAaNu5ItZfoO0ZhFz6HT2QPRkZYeR5nAfmCoFb46FPIrsv0dZssWXAKvC3lIbL9ys4917mQZqVY7pn2AH9Qpp7azjxRQ
2024-12-18 09:58:16 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 77 54 50 61 4c 71 33 58 76 45 53 78 6e 4b 55 47 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 35 34 37 34 30 37 62 62 33 64 31 36 30 66 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: wTPaLq3XvESxnKUG.3Context: 8547407bb3d160ff<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-12-18 09:58:17 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-12-18 09:58:17 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 52 68 58 4a 44 7a 56 6d 76 55 47 51 33 4b 30 35 6a 63 64 45 45 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: RhXJDzVmvUGQ3K05jcdEEg.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:28 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 64 49 6f 2b 6d 33 54 71 76 55 79 35 51 59 65 6c 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 63 63 32 66 61 66 34 64 31 63 38 66 38 34 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: dIo+m3TqvUy5QYel.1Context: facc2faf4d1c8f84
2024-12-18 09:58:28 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-12-18 09:58:28 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 64 49 6f 2b 6d 33 54 71 76 55 79 35 51 59 65 6c 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 63 63 32 66 61 66 34 64 31 63 38 66 38 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 4c 35 72 65 4e 45 4c 48 77 54 6d 2b 42 31 4f 2b 6e 41 61 4e 75 35 49 74 5a 66 6f 4f 30 5a 68 46 7a 36 48 54 32 51 50 52 6b 5a 59 65 52 35 6e 41 66 6d 43 6f 46 62 34 36 46 50 49 72 73 76 30 64 5a 73 73 57 58 41 4b 76 43 33 6c 49 62 4c 39 79 73 34 39 31 37 6d 51 5a 71 56 59 37 70 6e 32 41 48 39 51 70 70 37 61 7a 6a 78 52 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: dIo+m3TqvUy5QYel.2Context: facc2faf4d1c8f84<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcL5reNELHwTm+B1O+nAaNu5ItZfoO0ZhFz6HT2QPRkZYeR5nAfmCoFb46FPIrsv0dZssWXAKvC3lIbL9ys4917mQZqVY7pn2AH9Qpp7azjxRQ
2024-12-18 09:58:28 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 64 49 6f 2b 6d 33 54 71 76 55 79 35 51 59 65 6c 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 63 63 32 66 61 66 34 64 31 63 38 66 38 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: dIo+m3TqvUy5QYel.3Context: facc2faf4d1c8f84<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-12-18 09:58:29 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-12-18 09:58:29 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 7a 43 7a 4b 2f 59 6b 6d 4e 55 53 38 36 46 69 5a 50 39 4d 6e 61 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: zCzK/YkmNUS86FiZP9Mnaw.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:32 UTC	603	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:33 UTC	1219	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 09:58:33 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-jRoqpQChssVHpDsObkfveQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/web Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/web"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-18 09:58:33 UTC	171	IN	Data Raw: 61 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 5d 2c 5b 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 65 76 65 6e 74 69 64 22 3a 35 37 37 30 39 37 33 32 32 30 37 36 32 34 38 39 37 32 36 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70 65 22 3a 5b 5d 2c 22 67 6f 6f 67 6c 65 3a 76 65 72 62 61 74 69 6d 72 65 6c 65 76 61 6e 63 65 22 3a 38 35 31 7d 5d 0d 0a Data Ascii: a5)]}'["",[],[],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:suggesteventid":5770973220762489726,"google:suggesttype":[],"google:verbatimrelevance":851}]
2024-12-18 09:58:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:33 UTC	506	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:33 UTC	973	IN	HTTP/1.1 200 OK Version: 705503573 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Wed, 18 Dec 2024 09:58:33 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-18 09:58:33 UTC	417	IN	Data Raw: 31 36 65 61 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 61 20 67 62 5f 32 64 20 67 62 5f 51 65 20 67 62 5f 71 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 16ea)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2024-12-18 09:58:33 UTC	1390	IN	Data Raw: 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4a 63 20 67 62 5f 51 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 33 20 31 38 68 31 38 76 2d 32 48 33 76 32 7a 6d 30 2d 35 68 31 38 76 2d 32 48 33 76 32 7a 6d 30 2d 37 76 32 68 31 38 Data Ascii: ss\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18
2024-12-18 09:58:33 UTC	1390	IN	Data Raw: 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 75 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 41 64 20 67 62 5f 6c 64 20 67 62 5f 4b 65 20 67 62 5f 46 65 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 Data Ascii: e\u003cspan class\u003d\"gb_ud\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_ad\"\u003e \u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_wd gb_Ad gb_ld gb_Ke gb_Fe\"\u003e\u003c
2024-12-18 09:58:33 UTC	1390	IN	Data Raw: 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 38 2d 33 34 31 71 31 30 2d 31 34 20 31 35 2d 33 31 74 35 2d 33 34 76 2d 31 31 30 68 2d 32 30 71 2d 31 33 20 30 2d 32 31 2e 35 2d 38 2e 35 54 33 32 30 2d 38 31 30 71 30 2d 31 33 20 38 2e 35 2d 32 31 2e 35 54 33 35 30 2d 38 34 30 68 32 36 30 71 31 33 20 30 20 32 31 2e 35 20 38 2e 35 54 36 34 30 2d 38 31 30 71 30 20 Data Ascii: ght\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l228-341q10-14 15-31t5-34v-110h-20q-13 0-21.5-8.5T320-810q0-13 8.5-21.5T350-840h260q13 0 21.5 8.5T640-810q0
2024-12-18 09:58:33 UTC	1287	IN	Data Raw: 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 5c 22 5c 75 30 30 Data Ascii: ,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,20c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2z\"\u00
2024-12-18 09:58:33 UTC	303	IN	Data Raw: 31 32 38 0d 0a 22 2c 22 6c 65 66 74 5f 70 72 6f 64 75 63 74 5f 63 6f 6e 74 72 6f 6c 2d 6c 61 62 65 6c 32 22 5d 2c 22 6d 65 6e 75 5f 70 6c 61 63 65 68 6f 6c 64 65 72 5f 6c 61 62 65 6c 22 3a 22 6d 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 32 35 33 2c 33 37 30 31 33 38 34 2c 31 30 32 32 37 38 32 30 35 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 Data Ascii: 128","left_product_control-label2"],"menu_placeholder_label":"menu-content","metadata":{"bar_height":60,"experiment_id":[3700253,3701384,102278205],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapp
2024-12-18 09:58:34 UTC	1390	IN	Data Raw: 38 30 30 30 0d 0a 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 5c 75 30 30 33 64 74 68 69 73 3b 5c 6e 74 72 79 7b 5c 6e 5f 2e 78 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 21 61 2e 6a 29 69 66 28 63 20 69 6e 73 74 61 6e 63 65 6f 66 20 41 72 72 61 79 29 66 6f 72 28 76 61 72 20 64 20 6f 66 20 63 29 5f 2e 78 64 28 61 2c 62 2c 64 29 3b 65 6c 73 65 7b 64 5c 75 30 30 33 64 28 30 2c 5f 2e 7a 29 28 61 2e 43 2c 61 2c 62 29 3b 63 6f 6e 73 74 20 65 5c 75 30 30 33 64 61 2e 76 2b 63 3b 61 2e 76 2b 2b 3b 62 2e 64 61 74 61 73 65 74 2e 65 71 69 64 5c 75 30 30 33 64 65 3b 61 2e 42 5b 65 5d 5c 75 30 30 33 64 64 3b 62 5c 75 30 30 32 36 5c 75 30 30 32 36 62 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 3f 62 2e 61 64 64 45 Data Ascii: 8000ction(_){var window\u003dthis;\ntry{\n_.xd\u003dfunction(a,b,c){if(!a.j)if(c instanceof Array)for(var d of c)_.xd(a,b,d);else{d\u003d(0,_.z)(a.C,a,b);const e\u003da.v+c;a.v++;b.dataset.eqid\u003de;a.B[e]\u003dd;b\u0026\u0026b.addEventListener?b.addE
2024-12-18 09:58:34 UTC	1390	IN	Data Raw: 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 69 5c 75 30 30 33 64 61 7d 74 6f 53 74 72 69 6e 67 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 69 7d 7d 3b 5f 2e 4a 64 5c 75 30 30 33 64 6e 65 77 20 5f 2e 49 64 28 5c 22 61 62 6f 75 74 3a 69 6e 76 61 6c 69 64 23 7a 43 6c 6f 73 75 72 65 7a 5c 22 29 3b 5f 2e 46 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 6e 68 5c 75 30 30 33 64 61 7d 7d 3b 5f 2e 4b 64 5c 75 30 30 33 64 5b 47 64 28 5c 22 64 61 74 61 5c 22 29 2c 47 64 28 5c 22 68 74 74 70 5c 22 29 2c 47 64 28 5c 22 68 74 74 70 73 5c 22 29 2c 47 64 28 5c 22 6d 61 69 6c 74 6f 5c 22 29 2c 47 64 28 5c 22 66 74 70 5c 22 29 2c 6e 65 77 20 5f 2e 46 64 28 61 5c 75 30 30 33 64 5c 75 30 Data Ascii: class{constructor(a){this.i\u003da}toString(){return this.i}};_.Jd\u003dnew _.Id(\"about:invalid#zClosurez\");_.Fd\u003dclass{constructor(a){this.nh\u003da}};_.Kd\u003d[Gd(\"data\"),Gd(\"http\"),Gd(\"https\"),Gd(\"mailto\"),Gd(\"ftp\"),new _.Fd(a\u003d\u0
2024-12-18 09:58:34 UTC	1390	IN	Data Raw: 74 29 7b 6c 65 74 20 63 2c 64 3b 62 5c 75 30 30 33 64 28 64 5c 75 30 30 33 64 28 63 5c 75 30 30 33 64 5c 22 64 6f 63 75 6d 65 6e 74 5c 22 69 6e 20 62 3f 62 2e 64 6f 63 75 6d 65 6e 74 3a 62 29 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 29 5c 75 30 30 33 64 5c 75 30 30 33 64 6e 75 6c 6c 3f 76 6f 69 64 20 30 3a 64 2e 63 61 6c 6c 28 63 2c 60 24 7b 61 7d 5b 6e 6f 6e 63 65 5d 60 29 3b 72 65 74 75 72 6e 20 62 5c 75 30 30 33 64 5c 75 30 30 33 64 6e 75 6c 6c 3f 5c 22 5c 22 3a 62 2e 6e 6f 6e 63 65 7c 7c 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 5c 22 6e 6f 6e 63 65 5c 22 29 7c 7c 5c 22 5c 22 7d 3b 5c 6e 5f 2e 24 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 5c 75 30 30 33 64 5f 2e 4d 61 28 61 29 3b 72 65 74 75 72 6e 20 62 5c 75 30 30 33 Data Ascii: t){let c,d;b\u003d(d\u003d(c\u003d\"document\"in b?b.document:b).querySelector)\u003d\u003dnull?void 0:d.call(c,`${a}[nonce]`);return b\u003d\u003dnull?\"\":b.nonce\|\|b.getAttribute(\"nonce\")\|\|\"\"};\n_.$d\u003dfunction(a){var b\u003d_.Ma(a);return b\u003
2024-12-18 09:58:34 UTC	1390	IN	Data Raw: 78 74 5c 75 30 30 33 64 63 3a 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 63 6c 61 73 73 5c 22 3f 61 2e 63 6c 61 73 73 4e 61 6d 65 5c 75 30 30 33 64 63 3a 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 66 6f 72 5c 22 3f 61 2e 68 74 6d 6c 46 6f 72 5c 75 30 30 33 64 63 3a 6a 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 28 64 29 3f 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 6a 65 5b 64 5d 2c 63 29 3a 5f 2e 65 65 28 64 2c 5c 22 61 72 69 61 2d 5c 22 29 7c 7c 5f 2e 65 65 28 64 2c 5c 22 64 61 74 61 2d 5c 22 29 3f 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 64 2c 63 29 3a 61 5b 64 5d 5c 75 30 30 33 64 63 7d 29 7d 3b 6a 65 5c 75 30 30 33 64 7b 63 65 6c 6c 70 61 64 64 69 6e 67 3a 5c 22 63 65 6c 6c 50 61 64 64 69 6e 67 5c 22 2c 63 65 6c 6c 73 70 61 63 69 6e 67 Data Ascii: xt\u003dc:d\u003d\u003d\"class\"?a.className\u003dc:d\u003d\u003d\"for\"?a.htmlFor\u003dc:je.hasOwnProperty(d)?a.setAttribute(je[d],c):_.ee(d,\"aria-\")\|\|_.ee(d,\"data-\")?a.setAttribute(d,c):a[d]\u003dc})};je\u003d{cellpadding:\"cellPadding\",cellspacing

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:33 UTC	361	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:33 UTC	933	IN	HTTP/1.1 200 OK Version: 705503573 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Wed, 18 Dec 2024 09:58:33 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-18 09:58:33 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-12-18 09:58:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:39 UTC	721	OUT	GET /_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0 HTTP/1.1 Host: apis.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEIucrNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:40 UTC	916	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access" Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]} Content-Length: 117446 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 11 Dec 2024 22:22:46 GMT Expires: Thu, 11 Dec 2025 22:22:46 GMT Cache-Control: public, max-age=31536000 Last-Modified: Mon, 02 Dec 2024 19:15:50 GMT Content-Type: text/javascript; charset=UTF-8 Vary: Accept-Encoding Age: 560154 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-18 09:58:40 UTC	474	IN	Data Raw: 67 61 70 69 2e 6c 6f 61 64 65 64 5f 30 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 21 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 3f 67 6c 6f 62 61 6c 54 68 69 73 3a 74 79 70 65 6f 66 20 73 65 6c 66 21 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 3f 73 65 6c 66 3a 74 68 69 73 29 2e 5f 46 5f 74 6f 67 67 6c 65 73 3d 61 7c 7c 5b 5d 7d 3b 28 30 2c 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 29 28 5b 5d 29 3b 0a 76 61 72 20 63 61 2c 64 61 2c 68 61 2c 6d 61 2c 78 61 2c 41 61 2c 42 61 3b 63 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 Data Ascii: gapi.loaded_0(function(_){var window=this;_._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([]);var ca,da,ha,ma,xa,Aa,Ba;ca=function(a){var
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 61 6c 75 65 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 68 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 5b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 26 26 67 6c 6f 62 61 6c 54 68 69 73 2c 61 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 73 65 6c 66 26 26 73 65 6c 66 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 26 26 67 6c 6f 62 61 6c 5d 3b 66 6f 72 28 76 61 72 20 62 3d 30 3b 62 3c 61 2e 6c 65 6e 67 74 68 3b 2b 2b 62 29 7b 76 61 72 20 63 3d 61 5b 62 5d 3b 69 66 28 63 26 26 63 2e 4d 61 74 68 3d 3d 4d 61 74 68 29 72 65 74 75 72 6e 20 63 7d 74 68 72 6f 77 20 45 72 72 6f 72 28 22 61 22 29 3b 7d 3b Data Ascii: alue;return a};ha=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 3d 61 3b 72 65 74 75 72 6e 20 6e 65 77 20 62 7d 2c 71 61 3b 69 66 28 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 73 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 29 71 61 3d 4f 62 6a 65 63 74 2e 73 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 3b 65 6c 73 65 7b 76 61 72 20 72 61 3b 61 3a 7b 76 61 72 20 73 61 3d 7b 61 3a 21 30 7d 2c 77 61 3d 7b 7d 3b 74 72 79 7b 77 61 2e 5f 5f 70 72 6f 74 6f 5f 5f 3d 73 61 3b 72 61 3d 77 61 2e 61 3b 62 72 65 61 6b 20 61 7d 63 61 74 63 68 28 61 29 7b 7d 72 61 3d 21 31 7d 71 61 3d 72 61 3f 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 2e 5f 5f 70 72 6f 74 6f 5f 5f 3d 62 3b 69 66 28 Data Ascii: function(a){var b=function(){};b.prototype=a;return new b},qa;if(typeof Object.setPrototypeOf=="function")qa=Object.setPrototypeOf;else{var ra;a:{var sa={a:!0},wa={};try{wa.__proto__=sa;ra=wa.a;break a}catch(a){}ra=!1}qa=ra?function(a,b){a.__proto__=b;if(
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 7b 66 6f 72 28 3b 74 68 69 73 2e 46 66 26 26 74 68 69 73 2e 46 66 2e 6c 65 6e 67 74 68 3b 29 7b 76 61 72 20 68 3d 74 68 69 73 2e 46 66 3b 74 68 69 73 2e 46 66 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 6b 3d 30 3b 6b 3c 68 2e 6c 65 6e 67 74 68 3b 2b 2b 6b 29 7b 76 61 72 20 6c 3d 68 5b 6b 5d 3b 68 5b 6b 5d 3d 6e 75 6c 6c 3b 74 72 79 7b 6c 28 29 7d 63 61 74 63 68 28 6d 29 7b 74 68 69 73 2e 6d 71 28 6d 29 7d 7d 7d 74 68 69 73 2e 46 66 3d 6e 75 6c 6c 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 6d 71 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 74 68 69 73 2e 7a 50 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 72 6f 77 20 68 3b 0a 7d 29 7d 3b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 74 68 69 73 2e 45 61 3d 30 3b 74 68 69 73 2e 77 66 3d 76 6f 69 64 20 30 3b 74 68 69 Data Ascii: {for(;this.Ff&&this.Ff.length;){var h=this.Ff;this.Ff=[];for(var k=0;k<h.length;++k){var l=h[k];h[k]=null;try{l()}catch(m){this.mq(m)}}}this.Ff=null};b.prototype.mq=function(h){this.zP(function(){throw h;})};var e=function(h){this.Ea=0;this.wf=void 0;thi
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 68 28 22 75 6e 68 61 6e 64 6c 65 64 72 65 6a 65 63 74 69 6f 6e 22 2c 7b 63 61 6e 63 65 6c 61 62 6c 65 3a 21 30 7d 29 3a 74 79 70 65 6f 66 20 6b 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 68 3d 6e 65 77 20 6b 28 22 75 6e 68 61 6e 64 6c 65 64 72 65 6a 65 63 74 69 6f 6e 22 2c 7b 63 61 6e 63 65 6c 61 62 6c 65 3a 21 30 7d 29 3a 28 68 3d 5f 2e 6c 61 2e 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 43 75 73 74 6f 6d 45 76 65 6e 74 22 29 2c 68 2e 69 6e 69 74 43 75 73 74 6f 6d 45 76 65 6e 74 28 22 75 6e 68 61 6e 64 6c 65 64 72 65 6a 65 63 74 69 6f 6e 22 2c 21 31 2c 21 30 2c 68 29 29 3b 68 2e 70 72 6f 6d 69 73 65 3d 74 68 69 73 3b 68 2e 72 65 61 73 6f 6e 3d 74 68 69 73 2e 77 66 3b 72 65 74 75 72 6e 20 6c 28 68 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 Data Ascii: h("unhandledrejection",{cancelable:!0}):typeof k==="function"?h=new k("unhandledrejection",{cancelable:!0}):(h=_.la.document.createEvent("CustomEvent"),h.initCustomEvent("unhandledrejection",!1,!0,h));h.promise=this;h.reason=this.wf;return l(h)};e.prototy
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 64 6f 6e 65 29 7d 29 7d 3b 72 65 74 75 72 6e 20 65 7d 29 3b 76 61 72 20 43 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 3d 3d 6e 75 6c 6c 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 54 68 65 20 27 74 68 69 73 27 20 76 61 6c 75 65 20 66 6f 72 20 53 74 72 69 6e 67 2e 70 72 6f 74 6f 74 79 70 65 2e 22 2b 63 2b 22 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 6e 75 6c 6c 20 6f 72 20 75 6e 64 65 66 69 6e 65 64 22 29 3b 69 66 28 62 20 69 6e 73 74 61 6e 63 65 6f 66 20 52 65 67 45 78 70 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 46 69 72 73 74 20 61 72 67 75 6d 65 6e 74 20 74 6f 20 53 74 72 69 6e 67 2e 70 72 6f 74 6f 74 79 70 65 2e 22 2b 63 2b 22 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 61 20 72 65 67 75 6c Data Ascii: done)})};return e});var Ca=function(a,b,c){if(a==null)throw new TypeError("The 'this' value for String.prototype."+c+" must not be null or undefined");if(b instanceof RegExp)throw new TypeError("First argument to String.prototype."+c+" must not be a regul
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 6c 29 7b 74 68 69 73 2e 46 61 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6c 29 7b 6c 3d 5f 2e 79 61 28 6c 29 3b 66 6f 72 28 76 61 72 20 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 6d 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6d 5b 30 5d 2c 6d 5b 31 5d 29 7d 7d 3b 6b 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6c 2c 6d 29 7b 69 66 28 21 63 28 6c 29 29 74 68 72 6f 77 20 45 Data Ascii: _hidden_"+Math.random();e("freeze");e("preventExtensions");e("seal");var h=0,k=function(l){this.Fa=(h+=Math.random()+1).toString();if(l){l=_.ya(l);for(var m;!(m=l.next()).done;)m=m.value,this.set(m[0],m[1])}};k.prototype.set=function(l,m){if(!c(l))throw E
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 74 68 69 73 5b 31 5d 2e 53 6b 3d 6d 2e 5a 65 2c 74 68 69 73 2e 73 69 7a 65 2b 2b 29 3b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 64 65 6c 65 74 65 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 6b 3d 64 28 74 68 69 73 2c 6b 29 3b 72 65 74 75 72 6e 20 6b 2e 5a 65 26 26 6b 2e 6c 69 73 74 3f 28 6b 2e 6c 69 73 74 2e 73 70 6c 69 63 65 28 6b 2e 69 6e 64 65 78 2c 31 29 2c 6b 2e 6c 69 73 74 2e 6c 65 6e 67 74 68 7c 7c 64 65 6c 65 74 65 20 74 68 69 73 5b 30 5d 5b 6b 2e 69 64 5d 2c 6b 2e 5a 65 2e 53 6b 2e 6e 65 78 74 3d 6b 2e 5a 65 2e 6e 65 78 74 2c 6b 2e 5a 65 2e 6e 65 78 74 2e 53 6b 3d 0a 6b 2e 5a 65 2e 53 6b 2c 6b 2e 5a 65 2e 68 65 61 64 3d 6e 75 6c 6c 2c 74 68 69 73 2e 73 69 7a 65 2d 2d 2c 21 30 29 3a 21 31 7d 3b 63 2e 70 72 6f 74 6f 74 Data Ascii: this[1].Sk=m.Ze,this.size++);return this};c.prototype.delete=function(k){k=d(this,k);return k.Ze&&k.list?(k.list.splice(k.index,1),k.list.length\|\|delete this[0][k.id],k.Ze.Sk.next=k.Ze.next,k.Ze.next.Sk=k.Ze.Sk,k.Ze.head=null,this.size--,!0):!1};c.protot
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 63 74 69 6f 6e 28 29 7b 69 66 28 21 61 7c 7c 74 79 70 65 6f 66 20 61 21 3d 22 66 75 6e 63 74 69 6f 6e 22 7c 7c 21 61 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 7c 7c 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 73 65 61 6c 21 3d 22 66 75 6e 63 74 69 6f 6e 22 29 72 65 74 75 72 6e 21 31 3b 74 72 79 7b 76 61 72 20 63 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 78 3a 34 7d 29 2c 64 3d 6e 65 77 20 61 28 5f 2e 79 61 28 5b 63 5d 29 29 3b 69 66 28 21 64 2e 68 61 73 28 63 29 7c 7c 64 2e 73 69 7a 65 21 3d 31 7c 7c 64 2e 61 64 64 28 63 29 21 3d 64 7c 7c 64 2e 73 69 7a 65 21 3d 31 7c 7c 64 2e 61 64 64 28 7b 78 3a 34 7d 29 21 3d 64 7c 7c 64 2e 73 69 7a 65 21 3d 32 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 65 3d 64 2e 65 6e 74 72 69 65 73 28 29 2c 66 3d 65 2e 6e Data Ascii: ction(){if(!a\|\|typeof a!="function"\|\|!a.prototype.entries\|\|typeof Object.seal!="function")return!1;try{var c=Object.seal({x:4}),d=new a(_.ya([c]));if(!d.has(c)\|\|d.size!=1\|\|d.add(c)!=d\|\|d.size!=1\|\|d.add({x:4})!=d\|\|d.size!=2)return!1;var e=d.entries(),f=e.n
2024-12-18 09:58:40 UTC	1390	IN	Data Raw: 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 46 61 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 72 65 74 75 72 6e 5b 62 2c 63 5d 7d 29 7d 7d 29 3b 0a 6d 61 28 22 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 6b 65 79 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 46 61 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 62 7d 29 7d 7d 29 3b 6d 61 28 22 67 6c 6f 62 61 6c 54 68 69 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7c 7c 5f 2e 6c 61 7d 29 3b 6d 61 28 22 53 Data Ascii: ray.prototype.entries",function(a){return a?a:function(){return Fa(this,function(b,c){return[b,c]})}});ma("Array.prototype.keys",function(a){return a?a:function(){return Fa(this,function(b){return b})}});ma("globalThis",function(a){return a\|\|_.la});ma("S

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:40 UTC	714	OUT	POST /log?format=json&hasfast=true HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 905 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: / Origin: chrome-untrusted://new-tab-page X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEIucrNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:40 UTC	905	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 33 37 33 2c 5b 5b 22 31 37 33 34 35 31 35 39 31 37 31 36 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,null,null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],373,[["1734515917169",null,null,null,
2024-12-18 09:58:41 UTC	918	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: chrome-untrusted://new-tab-page Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=520=DysEIYPMtsrcxOHfl-HIE3RALebXZsTOe63cz015BE4croq04Hofl-8BdS1VTpaNjeJPvOQxmMy1D2irqtUxkbBrsZOYCfNU03rvYDv5g-x-q_6CtUT_ZcNFbBjDmGn9HfQT74xuNBRXjz465fPt-liG8PhXqOBOSqpDp0XSrfGlncM50cX_mXo; expires=Thu, 19-Jun-2025 09:58:41 GMT; path=/; domain=.google.com; HttpOnly P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 18 Dec 2024 09:58:41 GMT Server: Playlog X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 18 Dec 2024 09:58:41 GMT Cache-Control: private Connection: close Transfer-Encoding: chunked
2024-12-18 09:58:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-12-18 09:58:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:45 UTC	915	OUT	POST /log?format=json&hasfast=true HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 911 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: / Origin: chrome-untrusted://new-tab-page X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEIucrNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=520=DysEIYPMtsrcxOHfl-HIE3RALebXZsTOe63cz015BE4croq04Hofl-8BdS1VTpaNjeJPvOQxmMy1D2irqtUxkbBrsZOYCfNU03rvYDv5g-x-q_6CtUT_ZcNFbBjDmGn9HfQT74xuNBRXjz465fPt-liG8PhXqOBOSqpDp0XSrfGlncM50cX_mXo
2024-12-18 09:58:45 UTC	911	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 33 37 33 2c 5b 5b 22 31 37 33 34 35 31 35 39 32 32 34 30 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,null,null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],373,[["1734515922409",null,null,null,
2024-12-18 09:58:46 UTC	926	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: chrome-untrusted://new-tab-page Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=520=BlxFiJl_Tf78U0i2YSui4x-WO9YE-xsEI9uEX-ldZGyuW3hvktTykZi1865_H78FFMiypPjGLOaHcps9B2sGPfNPEFu3kxLb-NNBEH5Y0wVsBgPaoiaDUxTOGYgj3M79OFw8i86LeKx5IBdXCzURbqpi9PoQDuOPB0SnZ7uI0tukTPKi2SoGNEmeNzWrBGc; expires=Thu, 19-Jun-2025 09:58:46 GMT; path=/; domain=.google.com; HttpOnly P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 18 Dec 2024 09:58:46 GMT Server: Playlog X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 18 Dec 2024 09:58:46 GMT Cache-Control: private Connection: close Transfer-Encoding: chunked
2024-12-18 09:58:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-12-18 09:58:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:54 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 47 6a 67 44 62 6c 44 76 4d 30 75 6f 6f 47 75 5a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 38 34 31 36 39 35 35 31 30 30 64 36 34 37 30 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: GjgDblDvM0uooGuZ.1Context: 48416955100d6470
2024-12-18 09:58:54 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-12-18 09:58:54 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 47 6a 67 44 62 6c 44 76 4d 30 75 6f 6f 47 75 5a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 38 34 31 36 39 35 35 31 30 30 64 36 34 37 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 4c 35 72 65 4e 45 4c 48 77 54 6d 2b 42 31 4f 2b 6e 41 61 4e 75 35 49 74 5a 66 6f 4f 30 5a 68 46 7a 36 48 54 32 51 50 52 6b 5a 59 65 52 35 6e 41 66 6d 43 6f 46 62 34 36 46 50 49 72 73 76 30 64 5a 73 73 57 58 41 4b 76 43 33 6c 49 62 4c 39 79 73 34 39 31 37 6d 51 5a 71 56 59 37 70 6e 32 41 48 39 51 70 70 37 61 7a 6a 78 52 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: GjgDblDvM0uooGuZ.2Context: 48416955100d6470<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcL5reNELHwTm+B1O+nAaNu5ItZfoO0ZhFz6HT2QPRkZYeR5nAfmCoFb46FPIrsv0dZssWXAKvC3lIbL9ys4917mQZqVY7pn2AH9Qpp7azjxRQ
2024-12-18 09:58:54 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 47 6a 67 44 62 6c 44 76 4d 30 75 6f 6f 47 75 5a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 38 34 31 36 39 35 35 31 30 30 64 36 34 37 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: GjgDblDvM0uooGuZ.3Context: 48416955100d6470<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-12-18 09:58:55 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-12-18 09:58:55 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 66 61 72 75 7a 7a 76 6f 66 55 71 54 58 32 2b 73 64 53 45 36 41 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: faruzzvofUqTX2+sdSE6Aw.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:59:14 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 32 47 58 59 38 4a 4f 36 62 30 79 41 2f 50 49 70 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 66 62 33 36 31 37 33 35 35 33 37 30 30 63 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 2GXY8JO6b0yA/PIp.1Context: 3fb36173553700ce
2024-12-18 09:59:14 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-12-18 09:59:14 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 32 47 58 59 38 4a 4f 36 62 30 79 41 2f 50 49 70 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 66 62 33 36 31 37 33 35 35 33 37 30 30 63 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 4c 35 72 65 4e 45 4c 48 77 54 6d 2b 42 31 4f 2b 6e 41 61 4e 75 35 49 74 5a 66 6f 4f 30 5a 68 46 7a 36 48 54 32 51 50 52 6b 5a 59 65 52 35 6e 41 66 6d 43 6f 46 62 34 36 46 50 49 72 73 76 30 64 5a 73 73 57 58 41 4b 76 43 33 6c 49 62 4c 39 79 73 34 39 31 37 6d 51 5a 71 56 59 37 70 6e 32 41 48 39 51 70 70 37 61 7a 6a 78 52 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 2GXY8JO6b0yA/PIp.2Context: 3fb36173553700ce<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcL5reNELHwTm+B1O+nAaNu5ItZfoO0ZhFz6HT2QPRkZYeR5nAfmCoFb46FPIrsv0dZssWXAKvC3lIbL9ys4917mQZqVY7pn2AH9Qpp7azjxRQ
2024-12-18 09:59:14 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 32 47 58 59 38 4a 4f 36 62 30 79 41 2f 50 49 70 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 66 62 33 36 31 37 33 35 35 33 37 30 30 63 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 2GXY8JO6b0yA/PIp.3Context: 3fb36173553700ce<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-12-18 09:59:14 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-12-18 09:59:14 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 65 6d 32 33 52 74 61 4a 4b 6b 57 4e 4c 59 35 6c 48 4c 37 4b 2b 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: em23RtaJKkWNLY5lHL7K+w.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:59:40 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 54 47 78 36 77 37 72 79 72 6b 79 34 76 56 45 46 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 62 66 38 61 65 37 33 38 34 64 64 33 37 63 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: TGx6w7ryrky4vVEF.1Context: cbf8ae7384dd37c6
2024-12-18 09:59:40 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-12-18 09:59:40 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 54 47 78 36 77 37 72 79 72 6b 79 34 76 56 45 46 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 62 66 38 61 65 37 33 38 34 64 64 33 37 63 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 4c 35 72 65 4e 45 4c 48 77 54 6d 2b 42 31 4f 2b 6e 41 61 4e 75 35 49 74 5a 66 6f 4f 30 5a 68 46 7a 36 48 54 32 51 50 52 6b 5a 59 65 52 35 6e 41 66 6d 43 6f 46 62 34 36 46 50 49 72 73 76 30 64 5a 73 73 57 58 41 4b 76 43 33 6c 49 62 4c 39 79 73 34 39 31 37 6d 51 5a 71 56 59 37 70 6e 32 41 48 39 51 70 70 37 61 7a 6a 78 52 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: TGx6w7ryrky4vVEF.2Context: cbf8ae7384dd37c6<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcL5reNELHwTm+B1O+nAaNu5ItZfoO0ZhFz6HT2QPRkZYeR5nAfmCoFb46FPIrsv0dZssWXAKvC3lIbL9ys4917mQZqVY7pn2AH9Qpp7azjxRQ
2024-12-18 09:59:40 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 54 47 78 36 77 37 72 79 72 6b 79 34 76 56 45 46 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 62 66 38 61 65 37 33 38 34 64 64 33 37 63 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: TGx6w7ryrky4vVEF.3Context: cbf8ae7384dd37c6<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-12-18 09:59:41 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-12-18 09:59:41 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 5a 61 52 6f 6e 39 5a 54 4d 6b 57 7a 4c 4c 79 68 67 37 6e 76 51 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: ZaRon9ZTMkWzLLyhg7nvQw.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:00:08 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6c 43 77 4e 36 38 71 62 70 6b 57 6f 59 67 67 66 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 35 66 38 66 37 39 36 62 64 36 31 66 37 39 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: lCwN68qbpkWoYggf.1Context: 25f8f796bd61f793
2024-12-18 10:00:08 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-12-18 10:00:08 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6c 43 77 4e 36 38 71 62 70 6b 57 6f 59 67 67 66 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 35 66 38 66 37 39 36 62 64 36 31 66 37 39 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 4c 35 72 65 4e 45 4c 48 77 54 6d 2b 42 31 4f 2b 6e 41 61 4e 75 35 49 74 5a 66 6f 4f 30 5a 68 46 7a 36 48 54 32 51 50 52 6b 5a 59 65 52 35 6e 41 66 6d 43 6f 46 62 34 36 46 50 49 72 73 76 30 64 5a 73 73 57 58 41 4b 76 43 33 6c 49 62 4c 39 79 73 34 39 31 37 6d 51 5a 71 56 59 37 70 6e 32 41 48 39 51 70 70 37 61 7a 6a 78 52 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: lCwN68qbpkWoYggf.2Context: 25f8f796bd61f793<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcL5reNELHwTm+B1O+nAaNu5ItZfoO0ZhFz6HT2QPRkZYeR5nAfmCoFb46FPIrsv0dZssWXAKvC3lIbL9ys4917mQZqVY7pn2AH9Qpp7azjxRQ
2024-12-18 10:00:08 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6c 43 77 4e 36 38 71 62 70 6b 57 6f 59 67 67 66 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 35 66 38 66 37 39 36 62 64 36 31 66 37 39 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: lCwN68qbpkWoYggf.3Context: 25f8f796bd61f793<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-12-18 10:00:09 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-12-18 10:00:09 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 38 76 63 46 47 31 6f 6d 59 30 61 51 38 4b 2b 34 36 55 68 4f 57 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 8vcFG1omY0aQ8K+46UhOWw.0Payload parsing failed.

Target ID:	0
Start time:	04:58:13
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\urS3jQ9qb5.jar"" >> C:\cmdlinestart.log 2>&1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report urS3jQ9qb5.jar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Microsoft\724536.zip

C:\Users\user\AppData\Local\Microsoft\724536\Browsers\Microsoft Edge\cookie.txt (copy)

C:\Users\user\AppData\Local\Microsoft\724536\Game\craftrise.txt

C:\Users\user\AppData\Local\Microsoft\724536\Game\sonoyuncu.txt

C:\Users\user\AppData\Local\Microsoft\724536\screenshot.png

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0dd1aa5d-ef03-411c-bd50-c643a5d48d7f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\89618a08-e929-45ed-a3f0-2e3da3e4a9c1.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67629CB8-FF4.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3a194add-b9e0-4cfa-b0c9-3d7108ebeb7c.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\LOG

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

Windows Analysis Report
urS3jQ9qb5.jar

Target ID:	3
Start time:	04:58:15
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x810000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	04:58:16
Start date:	18/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	13
Start time:	04:58:17
Start date:	18/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=2160 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	15
Start time:	04:58:21
Start date:	18/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=6580 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	18
Start time:	04:58:22
Start date:	18/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --mojo-platform-channel-handle=7076 --field-trial-handle=2052,i,8316993096475149264,6081251299301412000,262144 --disable-features=PaintHolding /prefetch:8
Imagebase:	0x7ff6f2da0000
File size:	1'255'976 bytes
MD5 hash:	F8CEC3E43A6305AC9BA3700131594306
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	04:58:23
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe
Imagebase:	0x180000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	04:58:24
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe
Imagebase:	0x180000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	04:58:27
Start date:	18/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=2116 --field-trial-handle=2024,i,13611784778153370748,11681789006057499304,262144 --disable-features=PaintHolding /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	27
Start time:	04:58:33
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe
Imagebase:	0x180000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	04:58:34
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xc80000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true