Edit tour

Windows Analysis Report
Renewal.exe

Overview

General Information

Sample name:	Renewal.exe
Analysis ID:	1370152
MD5:	e7457fc1fecac4151a1d49b54cf3acd5
SHA1:	cca952ab905f83550a9d4b2cafec99b4e6e2bb17
SHA256:	ccc064b8982473125fd5e30f787d621bd682ffdaa7a6dc5e515a1120bb4c1250
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

Renewal.exe (PID: 4508 cmdline: C:\Users\user\Desktop\Renewal.exe MD5: E7457FC1FECAC4151A1D49B54CF3ACD5)

chrome.exe (PID: 3452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2364,i,3433059245063578953,17793063878387418449,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7468 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2028,i,5267686039598994631,3060138403470109992,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: Renewal.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49785 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.1.244.180:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.244.180:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49796 version: TLS 1.2

Source: Renewal.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \Renewal\obj\Debug\Renewal.pdb4FNF @F_CorExeMainmscoree.dll source: Renewal.exe
Source:	Binary string: \Renewal\obj\Debug\Renewal.pdb source: Renewal.exe

Source: Joe Sandbox View	IP Address: 13.107.213.57 13.107.213.57
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49785 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.244.180
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-3.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bwRtW6N881YGmLR&MD=aOu5faNG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bwRtW6N881YGmLR&MD=aOu5faNG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000040896C04EA HTTP/1.1Host: clients1.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br

Source: chromecache_87.4.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${l}" equals www.facebook.com (Facebook)
Source: chromecache_87.4.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${l}" equals www.linkedin.com (Linkedin)
Source: chromecache_87.4.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${encodeURIComponent(t)}&text=${encodeURIComponent(VC.replace("{credentialName}",e.title))}" equals www.linkedin.com (Linkedin)
Source: chromecache_87.4.dr	String found in binary or memory: </div>`,i};function n(s){if(s.parentElement?.classList.contains("is-active")){let i=s.getAttribute("id"),a=Number(s.dataset.totalItems),l=e.querySelector(".card-footer");t?.setAttribute("id",`${i}-card-content-container`);let c=Array.from(e.querySelectorAll(".is-expanded"));c.length!==0&&c.forEach(u=>u.classList.remove("is-expanded")),a>3?l\|\|t?.parentNode?.insertBefore(r(i\|\|""),t?.nextSibling):l&&l.remove()}}o.forEach(s=>{n(s),new MutationObserver(()=>{n(s)}).observe(s,{attributes:!0,attributeFilter:["aria-selected","tabindex"]})})}var e3e;function t3e(){let e=document.getElementById("share-to-linkedin-profile");e&&e.addEventListener("click",t=>{let o=t.currentTarget,r=JSON.parse(o.dataset.credential),n=document.createElement("div"),s=Zpt(r);x(s,n),e3e=new ge(n),e3e.show();let i=document.getElementById("share-to-feed-button"),a=document.getElementById("linkedin-feed-message"),l=new URL(decodeURI(i.getAttribute("href")));a.onchange=()=>{l.searchParams.set("text",a.value),i.setAttribute("href",l.toString())}})}function Zpt(e){let t=encodeURI(`https://${location.host}/api/credentials/share/${h.data.userLocale}/${S.userName}/${e?.credentialId}?sharingId=${S.sharingId}`),o=1035,r=i=>new Date(i).getFullYear(),n=i=>new Date(i).getMonth()+1,s=encodeURI(`https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=${e.title}&organizationId=${o}&issueYear=${r(e.awardedOn)}&issueMonth=${n(e.awardedOn)}&expirationYear=${e.expiresOn?r(e.expiresOn):""}&expirationMonth=${e.expiresOn?n(e.expiresOn):""}&certUrl=${t}&certId=${e.credentialId}&skills=${e.skills?`${e.skills.map(i=>encodeURIComponent(i)).join(",")}`:""}`);return d` equals www.linkedin.com (Linkedin)
Source: chromecache_87.4.dr	String found in binary or memory: `};function Uet(e){let t=Array.from(e.querySelectorAll('iframe[src^="https://channel9.msdn.com/"]'));t.length&&t.forEach(o=>{let r=o.src.split("/"),n=r[r.length-2],s=`${w$}: ${n}`;o.title=o.title\|\|s})}function zet(e){let t=Array.from(e.querySelectorAll('iframe[src^="https://www.youtube"]'));t.length&&t.forEach(o=>{let r=o.src.split("/").pop(),n=`${w$}: ${r}`;o.title=o.title\|\|n})}function Het(e){let t=[],o=[];window.addEventListener("beforeprint",()=>{Array.from(e.querySelectorAll(".embeddedvideo iframe")).forEach(n=>{if(n.offsetParent!==null){let s=n.src,i=document.createElement("a");i.href=s,i.target="_blank",i.text=s,n.parentElement.appendChild(i),n.hidden=!0,t.push(n),o.push(i)}})}),window.addEventListener("afterprint",()=>{t.forEach(r=>r.hidden=!1),o.forEach(r=>r.remove()),t=[],o=[]})}var Bet=e=>{let t=new URL(e);return t.protocol="https",t.host.localeCompare("channel9.msdn.com",void 0,{sensitivity:"base"})===0?t.searchParams.set("nocookie","true"):(t.host.localeCompare("youtube.com",void 0,{sensitivity:"base"})===0\|\|t.host.localeCompare("www.youtube.com",void 0,{sensitivity:"base"})===0)&&(t.host="www.youtube-nocookie.com"),t.href};function YR(e){zet(e),Uet(e),Het(e)}var J$e=(e,t)=>{let o=t\|\|Mu;return d`<div class="embeddedvideo"> equals www.youtube.com (Youtube)
Source: chromecache_87.4.dr	String found in binary or memory: `)}`,y=encodeURIComponent(`https://${W.host}/api/achievements/share/${h.data.userLocale}/${S.userName}/${m.id}?sharingId=${S.sharingId}`),v=f==="badge"?"MSLearnBadge":f==="trophy"?"MSLearnTrophy":"";return{linkedIn:{href:`https://www.linkedin.com/feed/?shareUrl=${y}&shareActive=true&text=${b}`},email:{href:`mailto:?subject=${_}&body=${b}${y}`},twitter:{href:`https://twitter.com/share?url=${y}&text=${b}&hashtags=${v}`},facebook:{href:`https://www.facebook.com/sharer/sharer.php?u=${y}&quote=${b}&hashtag=${v}`},copy:{href:y}}}let p=d` equals www.facebook.com (Facebook)
Source: chromecache_87.4.dr	String found in binary or memory: `)}`,y=encodeURIComponent(`https://${W.host}/api/achievements/share/${h.data.userLocale}/${S.userName}/${m.id}?sharingId=${S.sharingId}`),v=f==="badge"?"MSLearnBadge":f==="trophy"?"MSLearnTrophy":"";return{linkedIn:{href:`https://www.linkedin.com/feed/?shareUrl=${y}&shareActive=true&text=${b}`},email:{href:`mailto:?subject=${_}&body=${b}${y}`},twitter:{href:`https://twitter.com/share?url=${y}&text=${b}&hashtags=${v}`},facebook:{href:`https://www.facebook.com/sharer/sharer.php?u=${y}&quote=${b}&hashtag=${v}`},copy:{href:y}}}let p=d` equals www.linkedin.com (Linkedin)
Source: chromecache_87.4.dr	String found in binary or memory: `)}`,y=encodeURIComponent(`https://${W.host}/api/achievements/share/${h.data.userLocale}/${S.userName}/${m.id}?sharingId=${S.sharingId}`),v=f==="badge"?"MSLearnBadge":f==="trophy"?"MSLearnTrophy":"";return{linkedIn:{href:`https://www.linkedin.com/feed/?shareUrl=${y}&shareActive=true&text=${b}`},email:{href:`mailto:?subject=${_}&body=${b}${y}`},twitter:{href:`https://twitter.com/share?url=${y}&text=${b}&hashtags=${v}`},facebook:{href:`https://www.facebook.com/sharer/sharer.php?u=${y}&quote=${b}&hashtag=${v}`},copy:{href:y}}}let p=d` equals www.twitter.com (Twitter)

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

Source: chromecache_87.4.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_87.4.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_87.4.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_87.4.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_112.4.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_98.4.dr	String found in binary or memory: https://aka.ms/3rdpartycookies
Source: chromecache_87.4.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_112.4.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_87.4.dr	String found in binary or memory: https://aka.ms/ignitecsc?ocid=ignite23_CSC_bbanner_cnl
Source: chromecache_93.4.dr, chromecache_95.4.dr	String found in binary or memory: https://aka.ms/ignitecsc?ocid=ignite23_CSC_sbanner2_cnl
Source: chromecache_87.4.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_112.4.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_112.4.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_112.4.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_87.4.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_87.4.dr	String found in binary or memory: https://github.com/$
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=customer-feedback.yml
Source: chromecache_87.4.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_87.4.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_87.4.dr, chromecache_94.4.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_112.4.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_112.4.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Source: chromecache_87.4.dr	String found in binary or memory: https://labclient.labondemand.com
Source: chromecache_87.4.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_87.4.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_87.4.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player?id=235e7a95-82c6-4693-859f-2ab7597ab168&embedUrl=%2ftrain
Source: chromecache_87.4.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player?id=b7179148-9d19-41b1-ad18-fb7f0d1dad97&embedUrl=%2ftrain
Source: chromecache_87.4.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_87.4.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_87.4.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_87.4.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_87.4.dr	String found in binary or memory: https://schema.org
Source: chromecache_87.4.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_87.4.dr	String found in binary or memory: https://twitter.com/share?url=$
Source: chromecache_87.4.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: chromecache_87.4.dr	String found in binary or memory: https://www.linkedin.com/feed/?shareUrl=$
Source: chromecache_87.4.dr	String found in binary or memory: https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802

Source: unknown	HTTPS traffic detected: 23.1.244.180:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.244.180:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49796 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_3452_1450416276

Jump to behavior

Source: Renewal.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Renewal.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Renewal.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: clean3.winEXE@24/42@18/8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: Renewal.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Renewal.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Renewal.exe C:\Users\user\Desktop\Renewal.exe
Source: C:\Users\user\Desktop\Renewal.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2364,i,3433059245063578953,17793063878387418449,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\Renewal.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2028,i,5267686039598994631,3060138403470109992,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\Renewal.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\Renewal.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2364,i,3433059245063578953,17793063878387418449,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2028,i,5267686039598994631,3060138403470109992,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\Renewal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Renewal.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Renewal.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Renewal.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \Renewal\obj\Debug\Renewal.pdb4FNF @F_CorExeMainmscoree.dll source: Renewal.exe
Source:	Binary string: \Renewal\obj\Debug\Renewal.pdb source: Renewal.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\Renewal.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\Renewal.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://polymer.github.io/CONTRIBUTORS.txt	0%	Avira URL Cloud	safe
http://polymer.github.io/AUTHORS.txt	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/vod/player	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/vod/player?id=235e7a95-82c6-4693-859f-2ab7597ab168&embedUrl=%2ftrain	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/vod/player?id=b7179148-9d19-41b1-ad18-fb7f0d1dad97&embedUrl=%2ftrain	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/	0%	Avira URL Cloud	safe
http://polymer.github.io/PATENTS.txt	0%	Avira URL Cloud	safe
http://polymer.github.io/LICENSE.txt	0%	Avira URL Cloud	safe
http://polymer.github.io/AUTHORS.txt	0%	Virustotal		Browse
https://learn-video.azurefd.net/vod/player	0%	Virustotal		Browse
https://octokit.github.io/rest.js/#throttling	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/vod/player?id=235e7a95-82c6-4693-859f-2ab7597ab168&embedUrl=%2ftrain	0%	Virustotal		Browse
http://polymer.github.io/PATENTS.txt	0%	Virustotal		Browse
http://polymer.github.io/LICENSE.txt	0%	Virustotal		Browse
https://learn-video.azurefd.net/vod/player?id=b7179148-9d19-41b1-ad18-fb7f0d1dad97&embedUrl=%2ftrain	0%	Virustotal		Browse
http://polymer.github.io/CONTRIBUTORS.txt	0%	Virustotal		Browse
https://octokit.github.io/rest.js/#throttling	0%	Virustotal		Browse
https://learn-video.azurefd.net/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
adobetarget.data.adobedc.net	63.140.36.139	true	false	unknown
accounts.google.com	142.250.115.84	true	false	high
dcs-public-edge-usw2-219535174.us-west-2.elb.amazonaws.com	52.34.144.49	true	false	high
part-0029.t-0009.t-msedge.net	13.107.213.57	true	false	unknown
www.google.com	142.251.116.104	true	false	high
clients.l.google.com	142.250.114.100	true	false	high
js.monitor.azure.com	unknown	unknown	false	high
clients1.google.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high
microsoftmscompoc.tt.omtrdc.net	unknown	unknown	false	unknown
mdec.nelreports.net	unknown	unknown	false	unknown
mscom.demdex.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://clients1.google.com/tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000040896C04EA	false	high
https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	chromecache_112.4.dr	false		high
https://learn-video.azurefd.net/vod/player?id=235e7a95-82c6-4693-859f-2ab7597ab168&embedUrl=%2ftrain	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	chromecache_112.4.dr	false		high
https://www.linkedin.com/cws/share?url=$	chromecache_87.4.dr	false		high
https://github.com/Youssef1313	chromecache_112.4.dr	false		high
http://polymer.github.io/AUTHORS.txt	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/3rdpartycookies	chromecache_98.4.dr	false		high
https://learn-video.azurefd.net/vod/player?id=b7179148-9d19-41b1-ad18-fb7f0d1dad97&embedUrl=%2ftrain	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://management.azure.com/subscriptions?api-version=2016-06-01	chromecache_87.4.dr	false		high
https://labclient.labondemand.com	chromecache_87.4.dr	false		high
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	chromecache_112.4.dr	false		high
https://aka.ms/pshelpmechoose	chromecache_87.4.dr	false		high
https://aka.ms/feedback/report?space=61	chromecache_112.4.dr	false		high
https://www.linkedin.com/feed/?shareUrl=$	chromecache_87.4.dr	false		high
https://learn-video.azurefd.net/vod/player	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://twitter.com/intent/tweet?original_referer=$	chromecache_87.4.dr	false		high
https://github.com/gewarren	chromecache_112.4.dr	false		high
http://polymer.github.io/CONTRIBUTORS.txt	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$	chromecache_87.4.dr	false		high
https://learn-video.azurefd.net/	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	chromecache_112.4.dr	false		high
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	chromecache_112.4.dr	false		high
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	chromecache_87.4.dr	false		high
https://aka.ms/ignitecsc?ocid=ignite23_CSC_bbanner_cnl	chromecache_87.4.dr	false		high
https://github.com/Thraka	chromecache_112.4.dr	false		high
https://github.com/dotnet/docs/issues	chromecache_112.4.dr	false		high
http://polymer.github.io/PATENTS.txt	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/certhelp	chromecache_87.4.dr	false		high
https://github.com/mairaw	chromecache_112.4.dr	false		high
https://schema.org	chromecache_87.4.dr	false		high
http://polymer.github.io/LICENSE.txt	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/yourcaliforniaprivacychoices	chromecache_112.4.dr	false		high
https://github.com/nschonni	chromecache_112.4.dr	false		high
https://github.com/dotnet/docs/issues/new?template=customer-feedback.yml	chromecache_112.4.dr	false		high
https://github.com/adegeo	chromecache_112.4.dr	false		high
https://github.com/jonschlinkert/is-plain-object	chromecache_87.4.dr	false		high
https://octokit.github.io/rest.js/#throttling	chromecache_87.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0	chromecache_87.4.dr	false		high
https://github.com/js-cookie/js-cookie	chromecache_87.4.dr, chromecache_94.4.dr	false		high
https://github.com/$	chromecache_87.4.dr	false		high
http://schema.org/Organization	chromecache_112.4.dr	false		high
https://channel9.msdn.com/	chromecache_87.4.dr	false		high
https://aka.ms/ignitecsc?ocid=ignite23_CSC_sbanner2_cnl	chromecache_93.4.dr, chromecache_95.4.dr	false		high
https://twitter.com/share?url=$	chromecache_87.4.dr	false		high
https://github.com/dotnet/try	chromecache_87.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.116.104	www.google.com	United States	15169	GOOGLEUS	false
52.34.144.49	dcs-public-edge-usw2-219535174.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
142.250.115.84	accounts.google.com	United States	15169	GOOGLEUS	false
142.250.114.100	clients.l.google.com	United States	15169	GOOGLEUS	false
13.107.213.57	part-0029.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.115.139	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1370152
Start date and time:	2024-01-05 03:28:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Renewal.exe
Detection:	CLEAN
Classification:	clean3.winEXE@24/42@18/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.221.253.211, 142.250.138.94, 23.219.218.56, 34.104.35.123, 23.212.74.133, 184.28.78.183, 184.28.78.206, 142.251.116.95, 142.250.115.95, 142.250.114.95, 142.250.113.95, 142.250.138.95, 20.189.173.13, 20.42.65.90, 23.48.162.204, 23.48.162.196, 192.229.211.108, 142.251.116.94, 23.45.173.81, 23.45.173.60, 23.221.226.41
Excluded domains from analysis (whitelisted): aijscdn2.afd.azureedge.net, slscr.update.microsoft.com, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, onedscolprdeus14.eastus.cloudapp.azure.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, ocsp.digicert.com, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, update.googleapis.com, fs.microsoft.com, target.microsoft.com, content-autofill.googleapis.com, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, aijscdn2.azureedge.net, browser.events.data.microsoft.com, edgedl.me.gvt1.com, onedscolprdwus12.westus.cloudapp.azure.com, e13636.dscb.akamaiedge.net, learn-public.trafficmanager.net, go.microsoft.com.edgekey.net, wcpstatic.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
13.107.213.57	https://pub-62af56b1dbc845bd824ffe58ddaf2505.r2.dev/offlinode.html	Get hash	malicious	HTMLPhisher	Browse
	https://google.com/amp/ip182.ip-135-148-101.us/YllnQll2MlQ2a1hTK01xZHFOQmRGUmthNXpNOFM4bGRodTZCeGoyV1dyNGczTDA0UG11eGJxTGJLMU92SFZzZ2VSaTNPRU05SXNFeDllQXNoeWNzNXc9PQ__	Get hash	malicious	Unknown	Browse
	http://countryflags.io	Get hash	malicious	Unknown	Browse
	https://r20.rs6.net/tn.jsp?f=001li4RqeGHZ8qwYmafrEBmla3Ga7E7d6hyrEFrY04IgbfTxR2C0d1M-t25GQWTRzLWi3oeztkmSNT2Tp-22ACxRhevmIf2VMfgYOKK-YkOrEJSnligNe0NLBMeBHGGNrD7_85LLR0X12GrlFEgreACgpduIm6a3gqBb6ik_LDxepG-TG9luf7ms5XGNiwc4coI&c=&ch==&__=/data/bmFuY3kucm9uZ29lQHJhdmVpcy5jb20=	Get hash	malicious	HTMLPhisher	Browse
	https://trk.klclick3.com/ls/click?upn=qv6sSJ61i-2FCKcGs-2FWg5X5zSxUPH2ZrqUtgTrwIqP9tbV5nGRnmcCyzwEsyGChMEEVfcMVsKyWwCHSROXPHp2ssugEGqO5s0anA-2For84UxcDq0TVqcknxBCOK9bomYKxHZeGI_sriuaryqqdv1VntrH6X8cr710FsqQrnNUbUkxkf7x0pMSAkpeuB0WYDuTzAgnc1ypLmqKYwtOZGJRbr42WyOuUQfTu-2F4nzRvnExBDhTcsDCxAYSlvrUnKqhNu2QucwzzHnfd3nc1PaEOPnCY7lVi-2F-2FTTNyovG0zYk5qi6TlQOaMUlPhhOg1CBzrWoD-2BJCy6CeRTNCOxMmeykKFlmppbGGEqcnv1Ns33HkJq5QrEE1i7TzFrSdTciiW2xeho3yieI3kgFCvNAbW4DmtirZICDakbW9OIKR7-2BXEXF9V211cy5MWvnRyElRCDnZQGhhC4Xmy8QpWVQ1hkRUjNSqbxBIyJs0NLN-2BicHZse9nYwlxxMdUHA7kW8jSzXcgtmt4bmXpQ8CJpa3Q6l8HoWplFamAv33yszfV6dEc-2BB0CG8c2HMNZZ1XSXq7GmTl-2BvMA-2BfRvY#YnJ5b255LmdyaW1lc0B2aXJnaW5tZWRpYW8yLmNvLnVr	Get hash	malicious	HTMLPhisher	Browse
	PDFSuperHero (1).exe	Get hash	malicious	Unknown	Browse
	https://dmeodlekaed.blob.core.windows.net/dmeodlekaed/url.html#cl/8478_md/12/678/2075/430/395518	Get hash	malicious	Unknown	Browse
	seznam.cz!rak-hamburg.de!1701216000!1701302400.xml	Get hash	malicious	Unknown	Browse
	https://neon.ly/f132f836-82cf-441d-83cc-ac2dde9fb1d7	Get hash	malicious	Unknown	Browse
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~//trk.klclick2.com/ls/click?upn=HVRWduvhL1zapb3BWQOCNk56kKLaZN2NWyuuAuFxgIz8zMiQxnawrj2-2FFp7gbcQnyWrOdGbOqFj-2FZgkAzyq-2BC8khjhjfMbBT9dGWSJRNZI03JhXEl1PVjz9DwJY0pvjIWHbttWgqwTZC6g51Xo9ipGls7VH82Bc77cvYM1wSwlM-3Dhsu-_UQf6CZtgTiGkpBx1ujDHnZAntAuJNxWSG9pjq-2BiEMRDParvahGK2lvPcgi8z-2B-2BWUg4E10bFWhVQPx2J677B6FP8yx0-2FJysvwueXTDlekc4fuJqc9eTKiFd28lcyexC81Cqlaf8OneDq0RQqpzSs3OrNXYkcO5BGQ0-2Bvj-2BMgtvx9EU5ceWacKEsrgo34D-2BvQlfVKavXIJnXz55AiUSDivcOKyMMkM77dkhlnU-2Fwhqfd9sgtV5U5QT43TnSbZVQbSpb6JM5Fd-2B9zjF7ujAa-2BmGKp80xEnPvX0pprbw2q6dePK-2Fn-2FOxE0W-2Fd2ibbASB-2BOpeh70-2F-2FM4Apmxghfiw9-2FaXl4pMadZgZf5tgK06pK1jU3LWhF-2FesHp6BuC4Zm6NA2siQYaKh1PINuPYtQTQ71r8gsRavODOVonVqF9fhuZTl08PrNKgQ12YYqGjBnkNreOqLUzSmcrbnQz49pZIL4H8Zw-3D-3D#YW15QHZpcnR1YWxpbnRlbGxpZ2VuY2VicmllZmluZy5jb20===8axoeifyzgmgsvofhrr=Z29vZ2xlLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse
	part2.html	Get hash	malicious	HTMLPhisher	Browse
	Inv_No. 52130316.msg	Get hash	malicious	HTMLPhisher	Browse
	https://cloudflare-ipfs.com/ipfs/bafybeia5oggkq62k6lcwbiwoetxns6qmd3ebfedk2h74zpfrdho2h3etym/	Get hash	malicious	HTMLPhisher	Browse
	https://wolimieieieieueue.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://pub-2d60515458664a6cad7c750e9f679d87.r2.dev/12345.html	Get hash	malicious	HTMLPhisher	Browse
	https://pub-e1054d351e574dc09ec7cadc634b739f.r2.dev/ma.html	Get hash	malicious	HTMLPhisher	Browse
	https://pub-b71c16e9ba864559ac772df2b4d9f147.r2.dev/verification.html	Get hash	malicious	HTMLPhisher	Browse
	O6fNCCdNd3.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar	Browse
	https://inmailnummamnetext-paper-ab55.sr-171.workers.dev/	Get hash	malicious	Unknown	Browse
	http://feedbacks.hgdtk-sec.com/index.html	Get hash	malicious	Unknown	Browse
239.255.255.250	http://nervous-seed-snowplow.glitch.me	Get hash	malicious	Unknown	Browse
	lpk.dll	Get hash	malicious	Unknown	Browse
	http://getol.xyz/?action=register&chan=THEHUNTER	Get hash	malicious	Unknown	Browse
	https://indd.adobe.com/view/a4b3551e-fb20-4176-a450-a3d49c28e11c	Get hash	malicious	Unknown	Browse
	https://url7923.marsello.io/ls/click?upn=Xn88PJeNIL29Y2OVpP6Ui0LpID1OB9-2FQ7fdFAYW30og-3DGplJ_sZqRmnE4gRhrBPkGQNcsa9DgzygEBYPysLEudQ1VJAq74vZRJeMql8sJzU98zFljux8zkiiKazy44WmsmvEX3LjrGhAW5qE5e5HDXiuWXZ2P8OGKvis9oV40cQ1FdnJo8zESv9Jki6ESwhjWgY4joB7Epd2zEz70eg3jyvM2mBGLCWLz6OjsoyWFs-2FZo3zUssxa4GpWNSMsRc-2FEBe4IoB8C7frcim0QAsAlnmmVivO7vKPSqIp7t-2FV5fWpJQ4cjZQ8GUxUzO4rI9pAboFP1In2z0vKd-2Bqmh2msfVXa2nSqw4JidMdtStqhtINKXJmjFg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	http://47.149.31.206	Get hash	malicious	Unknown	Browse
	https://38.105.25.233/	Get hash	malicious	Unknown	Browse
	https://204.44.66.107/	Get hash	malicious	Unknown	Browse
	https://156.247.14.65/	Get hash	malicious	Unknown	Browse
	https://47.252.0.216/	Get hash	malicious	Unknown	Browse
	https://ntf860f8.page.link/1srt	Get hash	malicious	Unknown	Browse
	https://indd.adobe.com/view/738ed234-d2b3-427d-925e-2e91c73bcc9c	Get hash	malicious	Unknown	Browse
	https://www.smbc-co.jp.gcguyjav5r7molqmwsxfh.kjfnb.xyz/	Get hash	malicious	Unknown	Browse
	https://66.203.159.154/	Get hash	malicious	Unknown	Browse
	https://shonetown.com/	Get hash	malicious	Unknown	Browse
	https://guangyyq.com/login	Get hash	malicious	Unknown	Browse
	https://info-d6776fd98f34bh325f.waste-service.com/verfolgung/2880408?page=037	Get hash	malicious	Unknown	Browse
	https://netflixlogin111.blogspot.com/	Get hash	malicious	Unknown	Browse
	https://trevorservices.trevor3340.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://bnl-tarif-transaksi.ssd-i.com/Tarif-Transaksi-BNI/	Get hash	malicious	Unknown	Browse
52.34.144.49	https://pub-7a05263f273a456bb4e5284e1a031154.r2.dev/jsnew.html	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
adobetarget.data.adobedc.net	https://purple-ground-080c0e60f.4.azurestaticapps.net/.auth/invitations/accept	Get hash	malicious	Unknown	Browse	63.140.38.120
	https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793	Get hash	malicious	Unknown	Browse	63.140.36.14
	Resume_C.D.Murali.doc	Get hash	malicious	Unknown	Browse	63.140.36.121
	https://yinghuodnf.com/	Get hash	malicious	Unknown	Browse	63.140.38.149
	https://szdaoshui.com/	Get hash	malicious	Unknown	Browse	63.140.38.151
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:7e2ff22d-e9ad-4bf2-9af9-8280f312d601	Get hash	malicious	Unknown	Browse	63.140.38.160
	PO#800019DOCS.exe	Get hash	malicious	Unknown	Browse	63.140.38.225
	Comprobante Fiscal Digital - d1S4S7k6l4d2D09043655750.html	Get hash	malicious	Unknown	Browse	63.140.38.123
	rpmOhktwoL.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc	Browse	63.140.38.201
	PVT_MNDREQUEST_FOR_QOUTATION_07964766IKJGDS.exe	Get hash	malicious	Unknown	Browse	63.140.38.151
	http://url4950.cardamomauction.com/ls/click?upn=egCPuzUzE3IgDlrJllQ8yUBDO8VIETbuALPBUwtYINtrfRoh4niogEH8ew5kcjpQHM6X_5oPQIRm8LVmW-2FxweY307RHB6-2FfahtC57rDiHjDqcmR3wVeFHqU860zUYKXVGazyJpxMz-2BcQ5uK-2BNpDHERkaIkSLRnnlu-2Fc6D63JAIl8JEZb1GxYrBpkUR5dGmGiZ7tVIHJtwdg2sVnEwwf6w1QvIy9Zxou6xRVLuTVo-2BvDlX32eGOdm-2FS4cfnyxoMZpQM-2FzWDOoNZbiI7Zh9oLibZCTy9w-3D-3D#offer/001mu/120/frznm/ijv/41/79	Get hash	malicious	Phisher	Browse	63.140.38.165
	https://url12.mailanyone.net/scanner?m=1rCpkc-0008eu-6Q&d=4%7Cmail%2F90%2F1702337400%2F1rCpkc-0008eu-6Q%7Cin12i%7C57e1b682%7C21208867%7C12850088%7C65779BE6B573E32E40AAA75850226809&o=%2Fphtl%3A%2Fctst.icacprkiicckpm%2Fc.opl%2Frpy.hea04%3Fr3862%3D0%3Ds2%267id4mgt4270ac%3D0%267%26AA0%3D188c%3D%26776id22pd919s8%26e00natihio%3Dnt%25sttF3A2p%25lw%252nw.iFwoike%25.cmdnmn2Fc2Fii%25klhaoacsejlmnc%25belap3c2F9%3D11%26f9%3D1%26442dv2934d2df38a02693a593d7548c5b936221619f6b9ca3059c08890c233fc&s=B5zt8KWIS6xHlUijhBDho5gJNR8	Get hash	malicious	Unknown	Browse	63.140.38.104
	1QWuKDSrfN.exe	Get hash	malicious	Neshta	Browse	63.140.38.151
	https://acrobat.adobe.com/id/urn:aaid:sc:us:017842a5-a13a-4022-a03e-af8d86316b9c	Get hash	malicious	HTMLPhisher	Browse	63.140.38.225
	http://url7816.acetaxi.com/ls/click?upn=k9eqZnPBEZmPVPka3LxS61O1ksdCJOgznvtiwccqzi2-2BneqvfCXEJ-2FQj-2BZo7snmCwDunBahf2LYhfs7qQp7-2F23xLStq-2BkxJ70xqVvyXzkWM-3D8Cie_z5TGfmB4A65PPE2hDgRdrx6OZsZ3AmrJLHJ0M9ePWeHP5QDTWsAVp117uXam9dNn-2BGSxHeP-2BInRF-2Bgy2v-2FXBPODjmLss6NRV2RYsUYD7um77hgLl0ET9pPGTHF-2BQ1m6-2Fw7-2B-2B9DJOpakZj874YLC8uUep0F7rZMDlM46gmHmQqqAeCV477M0h2b07T2IcXu0hzUcKftN0UG2jhPq8qo00cQl0gvOLl-2BjChyaOdLpENao-3D	Get hash	malicious	Unknown	Browse	63.140.38.128
	http://arsyology.xyz/gYefq09	Get hash	malicious	Unknown	Browse	63.140.38.201
	https://smbbc-static.top/mem/index.html	Get hash	malicious	Unknown	Browse	63.140.38.113
	Alyssa M Juris Please Confirm Subscription.msg	Get hash	malicious	Unknown	Browse	63.140.38.160
	5sL4tK1.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, Xmrig, zgRAT	Browse	63.140.38.151
	3WK60hS.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, SmokeLoader, zgRAT	Browse	63.140.38.12
part-0029.t-0009.t-msedge.net	https://mikro-six.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	https://drive.google.com/file/d/1FES-ilIgDK8aY-l0WDjuU_r-5xHYO257/view?usp=sharing_eip_m&ts=658b61c4&sh=G9iUz3WHSlBcIUFB&ca=1&exids=71685779,71685773	Get hash	malicious	Unknown	Browse	13.107.246.57
	https://pub-62af56b1dbc845bd824ffe58ddaf2505.r2.dev/offlinode.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	https://google.com/amp/ip182.ip-135-148-101.us/YllnQll2MlQ2a1hTK01xZHFOQmRGUmthNXpNOFM4bGRodTZCeGoyV1dyNGczTDA0UG11eGJxTGJLMU92SFZzZ2VSaTNPRU05SXNFeDllQXNoeWNzNXc9PQ__	Get hash	malicious	Unknown	Browse	13.107.213.57
	http://countryflags.io	Get hash	malicious	Unknown	Browse	13.107.213.57
	https://r20.rs6.net/tn.jsp?f=001li4RqeGHZ8qwYmafrEBmla3Ga7E7d6hyrEFrY04IgbfTxR2C0d1M-t25GQWTRzLWi3oeztkmSNT2Tp-22ACxRhevmIf2VMfgYOKK-YkOrEJSnligNe0NLBMeBHGGNrD7_85LLR0X12GrlFEgreACgpduIm6a3gqBb6ik_LDxepG-TG9luf7ms5XGNiwc4coI&c=&ch==&__=/data/bmFuY3kucm9uZ29lQHJhdmVpcy5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	https://trk.klclick3.com/ls/click?upn=qv6sSJ61i-2FCKcGs-2FWg5X5zSxUPH2ZrqUtgTrwIqP9tbV5nGRnmcCyzwEsyGChMEEVfcMVsKyWwCHSROXPHp2ssugEGqO5s0anA-2For84UxcDq0TVqcknxBCOK9bomYKxHZeGI_sriuaryqqdv1VntrH6X8cr710FsqQrnNUbUkxkf7x0pMSAkpeuB0WYDuTzAgnc1ypLmqKYwtOZGJRbr42WyOuUQfTu-2F4nzRvnExBDhTcsDCxAYSlvrUnKqhNu2QucwzzHnfd3nc1PaEOPnCY7lVi-2F-2FTTNyovG0zYk5qi6TlQOaMUlPhhOg1CBzrWoD-2BJCy6CeRTNCOxMmeykKFlmppbGGEqcnv1Ns33HkJq5QrEE1i7TzFrSdTciiW2xeho3yieI3kgFCvNAbW4DmtirZICDakbW9OIKR7-2BXEXF9V211cy5MWvnRyElRCDnZQGhhC4Xmy8QpWVQ1hkRUjNSqbxBIyJs0NLN-2BicHZse9nYwlxxMdUHA7kW8jSzXcgtmt4bmXpQ8CJpa3Q6l8HoWplFamAv33yszfV6dEc-2BB0CG8c2HMNZZ1XSXq7GmTl-2BvMA-2BfRvY#YnJ5b255LmdyaW1lc0B2aXJnaW5tZWRpYW8yLmNvLnVr	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	PDFSuperHero (1).exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	http://www.tinyurl.com/stationnement-infraction	Get hash	malicious	Unknown	Browse	13.107.246.57
	seznam.cz!rak-hamburg.de!1701216000!1701302400.xml	Get hash	malicious	Unknown	Browse	13.107.246.57
	seznam.cz!rak-hamburg.de!1701216000!1701302400.xml	Get hash	malicious	Unknown	Browse	13.107.213.57
	TAX INV_No. 68430304.msg	Get hash	malicious	HTMLPhisher	Browse	13.107.213.57
	https://www.cloudflare-ipfs.com/ipfs/bafybeidh3wdcpsqif5e33rgmpsv55ddzsbmoretfb6beocz24c75r6czyu/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~//trk.klclick2.com/ls/click?upn=HVRWduvhL1zapb3BWQOCNk56kKLaZN2NWyuuAuFxgIz8zMiQxnawrj2-2FFp7gbcQnyWrOdGbOqFj-2FZgkAzyq-2BC8khjhjfMbBT9dGWSJRNZI03JhXEl1PVjz9DwJY0pvjIWHbttWgqwTZC6g51Xo9ipGls7VH82Bc77cvYM1wSwlM-3Dhsu-_UQf6CZtgTiGkpBx1ujDHnZAntAuJNxWSG9pjq-2BiEMRDParvahGK2lvPcgi8z-2B-2BWUg4E10bFWhVQPx2J677B6FP8yx0-2FJysvwueXTDlekc4fuJqc9eTKiFd28lcyexC81Cqlaf8OneDq0RQqpzSs3OrNXYkcO5BGQ0-2Bvj-2BMgtvx9EU5ceWacKEsrgo34D-2BvQlfVKavXIJnXz55AiUSDivcOKyMMkM77dkhlnU-2Fwhqfd9sgtV5U5QT43TnSbZVQbSpb6JM5Fd-2B9zjF7ujAa-2BmGKp80xEnPvX0pprbw2q6dePK-2Fn-2FOxE0W-2Fd2ibbASB-2BOpeh70-2F-2FM4Apmxghfiw9-2FaXl4pMadZgZf5tgK06pK1jU3LWhF-2FesHp6BuC4Zm6NA2siQYaKh1PINuPYtQTQ71r8gsRavODOVonVqF9fhuZTl08PrNKgQ12YYqGjBnkNreOqLUzSmcrbnQz49pZIL4H8Zw-3D-3D#YW15QHZpcnR1YWxpbnRlbGxpZ2VuY2VicmllZmluZy5jb20===8axoeifyzgmgsvofhrr=Z29vZ2xlLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.213.57
	part2.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.57
	Inv_No. 52130316.msg	Get hash	malicious	HTMLPhisher	Browse	13.107.213.57
	https://action.azurecomm.net/api/a/c?r=AIAAC5YOW6VICXVUC6AGB6WOWJEE6QQVQ2N32HJNHCXHTHWHEIKWFIZLLH27IFVW4OEX5FRBXTR7F4PYJ5FGTGN7NHMBMAS4DFM6SJL2OUDENAV6TZTXREKYPXHYCEDSDSBEASF6RDWYMPEMPFYEN5WGL4563K5NM4AKBUEHVFVV22JSCF2LF52C6EXPDD7FUENICOOB7ETSN6S7RJ3LOAHSJ3FN6BVORK236MTVYNNG4OPJ47NGHE3FLZCG4YG7PGZKDXFXEFPHWQ3YYWAI5OGRISHFRMM2KEGL6R3BHFSRZEUXRDOK5CPVYJBLVSRAMPVPTWSWQZ5UQSQVKIR2SRY27MNNXLN4VCM267YTKPQCBRGS4PFEBOPWMAJ2JO7VMH4RVHYXP5X3VVRDLC35GDHO7OG5TVE4REFC56DN5RBNKC27HSVFBULZV436VOHXOFCVYLDYPFVJ2W2AEWBWK2MHR3VC3RINUAZFIBN3CU2QP7YHLJ6PI4RFOQZWN66LLFDY4PESK36IYFGJG2DMR6VTEHSVSDQ&d=AIAACHM7OILYGPOJOJMSG42VSKMYC4TMP2GK4TLACUH6VP47UOXJSWUFYAFEHQ7T2BIRMKJW5VYVHFQKGEXOPOAY57Z5FBCXN6VEQX2LLYQQ4QCWCEBR6DOOXXCCUISD5VT4NSHT6BCN4YUVN7U4ALFOSBPEAX5LB6Q4UZ7MJX4TZR4JOQOUHXJ7CKDL3MQUWMQDJYE4M2WPSWN66YV65GAPOGL4XVBRN4HWDGI362HDIBUXUPNTY7KC423S6LTVKIWJZFAOUUOP6CXALJ4MJFWRVCUWRKY&url=PY/NToNAFEbfhp0MEF1gMtFoC21Sa6i1pGzMnWEoU7gzZH5q8emlLPotzzmbr3VueCZE+IemdqYLjfZO2KEJuUZCeL83wLsXWVNi8/YP2xsPEZwwSrrRtlrM5YaDm5jTisxrDKguhJ6B0q/9Xd5a7/AHRS09UoEg++AGOOAA8qRor086+LbCrGvKkzjiq4Pnq7eRJQUNdoILeZkd5FlbJQdf5NdH9hUrjmnM35/OLIlokBmNU3NMUl9hP7Iyi6BMp7ayotzFR8yGDW4vrKA0mA4qC9xJrdYL+rFf/m7Py+vnohj/AQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	Signature Required on cra-arc Q1 DrawDown Request - Execution Copy.zip	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	Inv_No. 52130316.msg	Get hash	malicious	HTMLPhisher	Browse	13.107.213.57
	http://yeshlasoftware.com/PDFCastle.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
dcs-public-edge-usw2-219535174.us-west-2.elb.amazonaws.com	https://google.com/amp/ip182.ip-135-148-101.us/SWhOYXJKdC9NYllYNWFSNXdvbGswWjU0M1U1Vk9xZXQvVUs2cHVtRGFsRVhGblA2ajJrbVppVUxBSEFMNXNTWWVPNm0xa3FQQm5BZEp1ZndrUFdGQ3c9PQ__	Get hash	malicious	Unknown	Browse	34.208.28.93
	http://www.tinyurl.com/stationnement-infraction	Get hash	malicious	Unknown	Browse	52.40.168.59
	https://hujr9.pages.dev/	Get hash	malicious	Unknown	Browse	44.224.119.250
	https://hrk4.pages.dev/	Get hash	malicious	Unknown	Browse	52.88.218.158
	http://accedi.54-227-63-246.cprapid.com/	Get hash	malicious	Unknown	Browse	52.32.40.227
	https://bgi.pages.dev/	Get hash	malicious	Unknown	Browse	52.40.168.36
	https://faq-kak.ru/kak-najti-svoyu-biblioteku-v-steam/	Get hash	malicious	Unknown	Browse	52.40.168.59
	https://pub-7a05263f273a456bb4e5284e1a031154.r2.dev/jsnew.html	Get hash	malicious	HTMLPhisher	Browse	52.34.53.96
	O6fNCCdNd3.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar	Browse	34.212.247.228
	https://www.americanexpressseguros.com/	Get hash	malicious	Unknown	Browse	54.190.64.98
	https://pub-5e1216f7ac0c4c66ad3357156574b076.r2.dev/American_Express_card_protection.htm	Get hash	malicious	HTMLPhisher	Browse	35.166.198.201
	https://pub-deefeb5d00534e3992bcd5b787c594a8.r2.dev/jsnew.html	Get hash	malicious	HTMLPhisher	Browse	35.166.198.201
	https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793	Get hash	malicious	Unknown	Browse	54.190.64.98
	https://pub-af1ca2628047462d82e8cad6b44984b9.r2.dev/index.htm	Get hash	malicious	HTMLPhisher	Browse	54.244.173.3
	http://www.m9c.net	Get hash	malicious	Unknown	Browse	54.190.64.98
	Resume_C.D.Murali.doc	Get hash	malicious	Unknown	Browse	54.190.64.98
	1va32uO2.exe	Get hash	malicious	Unknown	Browse	54.201.93.159
	WEXTRACT.EXE.exe	Get hash	malicious	RisePro Stealer, Vidar	Browse	52.42.171.249
	wextract2.exe	Get hash	malicious	RisePro Stealer, SmokeLoader	Browse	54.190.64.98
	WEXTRACT13.EXE.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	52.42.120.103

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	VYPW2R1c6f.elf	Get hash	malicious	Mirai	Browse	20.52.245.233
	KddPKUnEY7.elf	Get hash	malicious	Mirai	Browse	20.246.165.77
	AN917z2mDV.exe	Get hash	malicious	RedLine	Browse	20.79.30.95
	https://ntf860f8.page.link/1srt	Get hash	malicious	Unknown	Browse	52.149.246.39
	sora.arm.elf	Get hash	malicious	Mirai	Browse	13.91.200.38
	https://trevorservices.trevor3340.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	Thank You Inv#2024 ADOBE PDF.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	riatCif1bF.elf	Get hash	malicious	Mirai	Browse	157.55.40.136
	p2hClh5NdZ.elf	Get hash	malicious	Mirai	Browse	52.160.28.193
	x86_64	Get hash	malicious	Mirai	Browse	70.37.80.25
	ia5oWfGclS.elf	Get hash	malicious	Mirai	Browse	157.56.241.237
	oOdJWGP3g2.elf	Get hash	malicious	Mirai	Browse	20.161.37.117
	https://www.dropbox.com/scl/fi/wixtsar1jve2oak92gpd6/Cameron-Lux-Farmers-Union-Insurance-has-a-vital-document-for-you.Check-below-for-the-vital-document-shared.paper?rlkey=s4nqkki1okthmv0wunvifol7u&dl=0	Get hash	malicious	HTMLPhisher	Browse	20.190.190.131
	arm7.elf	Get hash	malicious	Mirai	Browse	13.100.26.34
	x86.elf	Get hash	malicious	Mirai	Browse	52.179.210.17
	https://brokerdealer-my.sharepoint.com/:f:/g/personal/irene_albon_cetera_com/EgEridaWCk5DncOEFkD0eTQBGh1hFUtwLXOIgvq65O6VfA?e=wfIHTL	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	https://purple-ground-080c0e60f.4.azurestaticapps.net/.auth/invitations/accept	Get hash	malicious	Unknown	Browse	20.22.31.128
	Thank You Inv#2124 ADOBE PDF.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	https://www.baidu.com/link?url=0wAYVyA8FwwTAf4BPuuhFiLagReX1m8YEK8UHbHELux8sCJ--hepIcC5HKQXNyTd#yultia.oneal@dot.gov	Get hash	malicious	Unknown	Browse	13.89.172.14
	https://vhb-my.sharepoint.com/:f:/p/rbarr/Egs8mLLY8YlDiwRPlFM9248BERY-Yct2JjmHRSAbvY2AIA?e=d2CrQc	Get hash	malicious	Unknown	Browse	52.109.8.89
AMAZON-02US	arm7.elf	Get hash	malicious	Mirai	Browse	13.251.247.130
	lpk.dll	Get hash	malicious	Unknown	Browse	99.84.208.102
	x86.elf	Get hash	malicious	Mirai	Browse	18.196.227.76
	arm7.elf	Get hash	malicious	Mirai	Browse	44.229.157.183
	https://indd.adobe.com/view/a4b3551e-fb20-4176-a450-a3d49c28e11c	Get hash	malicious	Unknown	Browse	99.86.102.53
	KddPKUnEY7.elf	Get hash	malicious	Mirai	Browse	13.238.47.58
	https://indd.adobe.com/view/738ed234-d2b3-427d-925e-2e91c73bcc9c	Get hash	malicious	Unknown	Browse	99.86.229.14
	https://guangyyq.com/login	Get hash	malicious	Unknown	Browse	52.193.160.35
	sora.arm.elf	Get hash	malicious	Mirai	Browse	18.249.16.140
	ztlF9MWoA9.elf	Get hash	malicious	Mirai	Browse	54.219.128.237
	p2hClh5NdZ.elf	Get hash	malicious	Mirai	Browse	54.150.59.202
	z3fYEzpiwC.elf	Get hash	malicious	Mirai	Browse	52.17.28.175
	ia5oWfGclS.elf	Get hash	malicious	Mirai	Browse	157.175.218.216
	https://sube-krediacikdenizbasvurgirisonayi.click/	Get hash	malicious	Unknown	Browse	99.84.191.73
	https://www.dropbox.com/scl/fi/wixtsar1jve2oak92gpd6/Cameron-Lux-Farmers-Union-Insurance-has-a-vital-document-for-you.Check-below-for-the-vital-document-shared.paper?rlkey=s4nqkki1okthmv0wunvifol7u&dl=0	Get hash	malicious	HTMLPhisher	Browse	3.162.112.122
	arm7.elf	Get hash	malicious	Mirai	Browse	157.175.218.35
	https://d2-d7j04.eu1.hubspotlinks.com/Ctc/2N+113/d2-D7j04/VWB4QX5fwHPCW42cVfS3wMTX3W2H1VMy57V5tdN1MKF_83m2ndW8wLKSR6lZ3nkW3w-N_M1snmxsW7sJsgQ16frX2W49JTc65kxnsNW15RLPY7PwHHTW8RY_Z32ZldNbW2znPwl5mcTGZW5R_hSW1fwHfMW7kgGZT1zF7r6W6y3l5p2jVwm2W4WGdBG45_4GWW6JzVYX6GPCZ2W4fK68W84XtxfW8C53tM1JJ1NLN51JvBSxCrdnMZL4FKYd4MWW1sK1_w7FGxb7N77FVBVvQK7vW3hmb-L8jMQRrW77CJdf225svTW49DLHn8rJ7ChW6BTxPM41Ns86VgmTyT6LP2q2W94x92s4MyS9XW4z-HK67-mwPxW3sxytv6-bjcHN5wsG1ZZSWGlW1vPYxG6b90MKW7lMnbp3wclxQf9hpn4j04	Get hash	malicious	Unknown	Browse	52.84.151.43
	https://shankkits.uk	Get hash	malicious	Unknown	Browse	52.51.79.195
	x86.elf	Get hash	malicious	Mirai	Browse	34.216.38.3
	arm7.elf	Get hash	malicious	Mirai	Browse	52.46.126.93

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://47.252.0.216/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://indd.adobe.com/view/738ed234-d2b3-427d-925e-2e91c73bcc9c	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://info-d6776fd98f34bh325f.waste-service.com/verfolgung/2880408?page=037	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://trevorservices.trevor3340.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://cloude-dd47.aeancsesekhi.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	Thank You Inv#2024 ADOBE PDF.htm	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://mufgpw.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://mufgom.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=wmNeWLLV4ESFFVLcth9VVNgwr-OMg-1Go9eA620XiABURVNUU0RQVjFRME1PQjZXM1lFNEk5TDVDVC4u	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://dmarleneprodutosregionais.com.br/r/qJU	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://google.us/amp/ip0.ip-51-77-110.eu/cl/40074_md/105/13065/2104/0/0	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://masseuxproform.uk/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://fvytvgh.blob.core.windows.net/vhgvhcg/6398.html	Get hash	malicious	Phisher	Browse	23.1.237.91
	https://e4bfrhhfr.blob.core.windows.net/eddedews/5673.html	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	http://malnutritionandfoodfirst.rdash.nhs.uk	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://mrsbagbag.com/4rUNry2143gMDK263hjjeroetyw14745YCONSOABNTKUDTM99PEOD8633o13	Get hash	malicious	Phisher	Browse	23.1.237.91
	http://mrsbagbag.com/4tkBEH2143PfSu263cgltpebjmi14745AIXOEQYETLDGXMB99RSBE8633F13	Get hash	malicious	Phisher	Browse	23.1.237.91
	https://www.msw-consultants.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://comparisonshoppingpartners.withgoogle.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://kineticwing.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	http://nervous-seed-snowplow.glitch.me	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	lpk.dll	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	http://getol.xyz/?action=register&chan=THEHUNTER	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://indd.adobe.com/view/a4b3551e-fb20-4176-a450-a3d49c28e11c	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://38.105.25.233/	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://47.252.0.216/	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://indd.adobe.com/view/738ed234-d2b3-427d-925e-2e91c73bcc9c	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://www.smbc-co.jp.gcguyjav5r7molqmwsxfh.kjfnb.xyz/	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://shonetown.com/	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://guangyyq.com/login	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://info-d6776fd98f34bh325f.waste-service.com/verfolgung/2880408?page=037	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://netflixlogin111.blogspot.com/	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://trevorservices.trevor3340.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	23.1.244.180 20.12.23.50
	https://bnl-tarif-transaksi.ssd-i.com/Tarif-Transaksi-BNI/	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	http://bakwasnakar.com/web/index.html	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://id-f0596.remaxguys.com/verfolgung/rastreo.php?id=4478819&page=305	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://cloude-dd47.aeancsesekhi.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	23.1.244.180 20.12.23.50
	Thank You Inv#2024 ADOBE PDF.htm	Get hash	malicious	HTMLPhisher	Browse	23.1.244.180 20.12.23.50
	https://faze44.com/	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50
	https://sube-krediacikdenizbasvurgirisonayi.click/	Get hash	malicious	Unknown	Browse	23.1.244.180 20.12.23.50

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 5 01:29:32 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9799698601942515
Encrypted:	false
SSDEEP:	48:8YdhoTBsKwWH2idAKZdA19ehwiZUklqehRy+3:8Nnwfey
MD5:	72C82540A82291FE2F1F6FDEE38E4FDC
SHA1:	7DDF8A17C6C7282173547EE8FAB55DE18C53D9A3
SHA-256:	9AB865206F863346F49C12DE6C8BEBB277D476C4A6F7FCB773071E5830F8BA3B
SHA-512:	9757C888074707F9591AA3A21391918BDA5DB715EC2EDA8138D6B92D817B6399DC6A3DDA61E4201B8B801A257587ACB3B75AB369D3C7B766A4E2FFAF65A43E4E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........?..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I%X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V%X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V%X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V%X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V%X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............l.@.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.131280946694984
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Renewal.exe
File size:	12'800 bytes
MD5:	e7457fc1fecac4151a1d49b54cf3acd5
SHA1:	cca952ab905f83550a9d4b2cafec99b4e6e2bb17
SHA256:	ccc064b8982473125fd5e30f787d621bd682ffdaa7a6dc5e515a1120bb4c1250
SHA512:	e00a77695ad2b63cb287f74262ed3b6ab64d7ea8393c3e36924e434a45439426c3b45831943fd75e438425d59a03305c30841bdd5d8dac7dd32f8e4cb87fcb12
SSDEEP:	192:zfW+tV4EH+RA6xvHV7V0qfG5/PIBjeCGvLIzOwCCvgLWQhIf2lkiS+gHTMNJ:z++j4EGtfGpkGD8OxugLWz+2UO4
TLSH:	90421A5537ECC337C9BA0BBA5C6321414774B286C563E91E6F88A45F99F370009A3BA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...uX1d.................(..........^F... ...`....@.. ....................................`................................

Entrypoint:	0x40465e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64315875 [Sat Apr 8 12:05:09 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x460c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x530	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x44d4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2664	0x2800	False	0.50615234375	data	5.497172072637766	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x530	0x600	False	0.3821614583333333	data	3.8772839360498508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x200	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60a0	0x2a0	data			0.43601190476190477
RT_MANIFEST	0x6340	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2024 03:29:30.382226944 CET	64096	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:30.382397890 CET	64177	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:30.382884026 CET	53690	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:30.383064032 CET	49735	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:30.430777073 CET	53	59996	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:30.504518032 CET	53	64177	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:30.504641056 CET	53	64096	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:30.505326986 CET	53	49735	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:30.505660057 CET	53	53690	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:31.238533020 CET	53	51580	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:32.666347980 CET	51456	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:32.666347980 CET	51087	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:34.081645012 CET	51430	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:34.082139969 CET	62436	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:34.087564945 CET	53216	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:34.087704897 CET	51668	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:34.204696894 CET	53	51430	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:34.205221891 CET	53	62436	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:34.214915037 CET	53	51668	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:34.215208054 CET	53	53216	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:34.565218925 CET	50507	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:34.565638065 CET	64051	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:34.687881947 CET	53	50507	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:34.688044071 CET	53	64051	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:36.159655094 CET	59098	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:36.160041094 CET	64214	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:29:37.125111103 CET	53	60090	1.1.1.1	192.168.2.5
Jan 5, 2024 03:29:48.144860983 CET	53	49175	1.1.1.1	192.168.2.5
Jan 5, 2024 03:30:07.176038027 CET	53	62372	1.1.1.1	192.168.2.5
Jan 5, 2024 03:30:29.902967930 CET	53	55052	1.1.1.1	192.168.2.5
Jan 5, 2024 03:30:30.182197094 CET	53	58439	1.1.1.1	192.168.2.5
Jan 5, 2024 03:30:36.983007908 CET	62259	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:30:36.983285904 CET	62428	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:30:58.537374973 CET	53	53789	1.1.1.1	192.168.2.5
Jan 5, 2024 03:30:59.570862055 CET	49763	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:30:59.571155071 CET	60807	53	192.168.2.5	1.1.1.1
Jan 5, 2024 03:30:59.693605900 CET	53	49763	1.1.1.1	192.168.2.5
Jan 5, 2024 03:30:59.694328070 CET	53	60807	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:29:30 UTC	752	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.132 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-01-05 02:29:31 UTC	732	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-y2nv9ohbGLWQuDzFCZYzbw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 05 Jan 2024 02:29:30 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6212 X-Daystart: 66570 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-01-05 02:29:31 UTC	520	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 32 31 32 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 36 36 35 37 30 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6212" elapsed_seconds="66570"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2024-01-05 02:29:31 UTC	200	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2024-01-05 02:29:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:29:30 UTC	680	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
2024-01-05 02:29:30 UTC	1	OUT	Data Raw: 20 Data Ascii:
2024-01-05 02:29:31 UTC	1627	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 05 Jan 2024 02:29:31 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-708Lu7Tre4U3kZ33wolrEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-01-05 02:29:31 UTC	23	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2024-01-05 02:29:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:29:33 UTC	549	OUT	GET /scripts/c/ms.jsll-3.min.js HTTP/1.1 Host: js.monitor.azure.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-01-05 02:29:33 UTC	925	IN	HTTP/1.1 200 OK Date: Fri, 05 Jan 2024 02:29:33 GMT Content-Type: text/javascript; charset=utf-8 Content-Length: 185041 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=1800, immutable, no-transform Last-Modified: Thu, 21 Sep 2023 19:29:40 GMT ETag: 0x8DBBAD919F17481 x-ms-request-id: ab576bf4-301e-0081-6c69-35e4dc000000 x-ms-version: 2009-09-19 x-ms-meta-jssdkver: 3.2.14 x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-3.2.14.min.js Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240105T022933Z-wdw78nttpp11x3p2hdqn5cn3d40000000hd0000000006yqr X-Cache: TCP_REVALIDATED_HIT Accept-Ranges: bytes
2024-01-05 02:29:33 UTC	15459	IN	Data Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 33 2e 32 2e 31 34 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 Data Ascii: /! 1DS JSLL SKU, 3.2.14 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&def
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 74 3d 76 6f 69 64 20 30 21 3d 3d 74 26 26 74 29 3f 22 2e 22 2b 57 72 3a 70 29 2b 47 72 29 7d 66 75 6e 63 74 69 6f 6e 20 59 72 28 65 29 7b 76 61 72 20 61 3d 7b 69 64 3a 4a 72 28 22 5f 61 69 44 61 74 61 2d 22 2b 28 65 7c 7c 70 29 2b 22 2e 22 2b 57 72 29 2c 61 63 63 65 70 74 3a 51 72 2c 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 76 61 72 20 69 3d 65 5b 61 2e 69 64 5d 3b 72 65 74 75 72 6e 20 69 3f 69 5b 4d 74 28 74 29 5d 3a 28 72 26 26 28 28 69 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 74 5b 65 2e 69 64 5d 3b 69 66 28 21 6e 29 7b 6e 3d 7b 7d 3b 74 72 79 7b 51 72 28 74 29 26 26 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 69 66 28 4b 72 29 74 72 79 7b 72 65 74 75 72 6e 20 4b 72 28 65 2c 74 2c 7b 76 61 6c 75 65 Data Ascii: t=void 0!==t&&t)?"."+Wr:p)+Gr)}function Yr(e){var a={id:Jr("_aiData-"+(e\|\|p)+"."+Wr),accept:Qr,get:function(e,t,n,r){var i=e[a.id];return i?i[Mt(t)]:(r&&((i=function(e,t){var n=t[e.id];if(!n){n={};try{Qr(t)&&!function(e,t,n){if(Kr)try{return Kr(e,t,{value
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 6e 20 6b 65 79 22 29 2c 69 3d 72 2c 68 5b 4d 61 5d 3d 72 3b 65 3d 5a 74 28 43 2e 64 69 73 61 62 6c 65 44 62 67 45 78 74 29 2c 21 30 3d 3d 3d 65 26 26 50 26 26 28 69 5b 49 65 5d 28 50 29 2c 50 3d 6e 75 6c 6c 29 2c 69 26 26 21 50 26 26 21 30 21 3d 3d 65 26 26 28 50 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 6d 72 29 7b 6d 72 3d 7b 7d 3b 66 6f 72 28 76 61 72 20 74 3d 30 3b 74 3c 79 72 5b 55 5d 3b 74 2b 2b 29 6d 72 5b 79 72 5b 74 5d 5d 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 62 72 28 6e 29 3b 65 26 26 28 65 3d 65 2e 6c 69 73 74 65 6e 65 72 29 26 26 65 5b 74 5d 26 26 65 5b 74 5d 5b 4d 65 5d 28 65 2c 61 72 67 75 6d 65 6e 74 73 29 7d 7d 28 79 72 5b 74 5d 2c 65 29 7d 72 65 74 75 Data Ascii: n key"),i=r,h[Ma]=r;e=Zt(C.disableDbgExt),!0===e&&P&&(i[Ie](P),P=null),i&&!P&&!0!==e&&(P=function(e){if(!mr){mr={};for(var t=0;t<yr[U];t++)mr[yr[t]]=function(t,n){return function(){var e=br(n);e&&(e=e.listener)&&e[t]&&e[t][Me](e,arguments)}}(yr[t],e)}retu
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 3d 65 5b 4c 73 5d 3a 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2e 6f 70 65 72 61 26 26 65 5b 56 73 5d 3f 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 3d 5b 5d 2c 6e 3d 65 5b 44 6f 5d 28 22 5c 6e 22 29 2c 72 3d 30 3b 72 3c 6e 5b 68 5d 3b 72 2b 2b 29 7b 76 61 72 20 69 3d 6e 5b 72 5d 3b 6e 5b 72 2b 31 5d 26 26 28 69 2b 3d 22 40 22 2b 6e 5b 72 2b 31 5d 2c 72 2b 2b 29 2c 74 2e 70 75 73 68 28 69 29 7d 72 65 74 75 72 6e 7b 73 72 63 3a 65 2c 6f 62 6a 3a 74 7d 7d 28 65 5b 4f 6f 5d 29 3a 65 2e 72 65 61 73 6f 6e 26 26 65 2e 72 65 61 73 6f 6e 5b 4d 73 5d 3f 6e 3d 6a 73 28 65 2e 72 65 61 73 6f 6e 5b 4d 73 5d 29 3a 24 28 65 29 3f 6e 3d 6a 73 28 65 29 3a 28 74 3d 65 5b 56 73 5d 7c 7c 65 5b 48 73 5d 7c 7c 22 22 2c 24 28 65 5b 55 73 5d 29 26 26 28 Data Ascii: =e[Ls]:window&&window.opera&&e[Vs]?n=function(e){for(var t=[],n=e[Do]("\n"),r=0;r<n[h];r++){var i=n[r];n[r+1]&&(i+="@"+n[r+1],r++),t.push(i)}return{src:e,obj:t}}(e[Oo]):e.reason&&e.reason[Ms]?n=js(e.reason[Ms]):$(e)?n=js(e):(t=e[Vs]\|\|e[Hs]\|\|"",$(e[Us])&&(
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 74 63 68 28 72 29 7b 64 28 31 2c 33 36 2c 22 74 72 61 63 6b 4d 65 74 72 69 63 20 66 61 69 6c 65 64 2c 20 6d 65 74 72 69 63 20 77 69 6c 6c 20 6e 6f 74 20 62 65 20 63 6f 6c 6c 65 63 74 65 64 3a 20 22 2b 76 28 72 29 2c 7b 65 78 63 65 70 74 69 6f 6e 3a 73 65 28 72 29 7d 29 7d 7d 2c 53 5b 55 63 5d 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 74 72 79 7b 76 61 72 20 6e 3d 65 7c 7c 7b 7d 3b 6b 5b 55 63 5d 28 6e 2c 58 28 58 28 58 28 7b 7d 2c 6e 2e 70 72 6f 70 65 72 74 69 65 73 29 2c 6e 2e 6d 65 61 73 75 72 65 6d 65 6e 74 73 29 2c 74 29 29 2c 53 2e 63 6f 6e 66 69 67 5b 5f 63 5d 26 26 4f 5b 56 63 5d 28 6e 2e 6e 61 6d 65 2c 6e 2e 75 72 69 29 7d 63 61 74 63 68 28 72 29 7b 64 28 31 2c 33 37 2c 22 74 72 61 63 6b 50 61 67 65 56 69 65 77 20 66 61 69 6c 65 64 2c 20 70 61 Data Ascii: tch(r){d(1,36,"trackMetric failed, metric will not be collected: "+v(r),{exception:se(r)})}},S[Uc]=function(e,t){try{var n=e\|\|{};k[Uc](n,X(X(X({},n.properties),n.measurements),t)),S.config[_c]&&O[Vc](n.name,n.uri)}catch(r){d(1,37,"trackPageView failed, pa
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 75 28 74 2c 4d 75 29 3b 69 66 28 65 26 26 31 3d 3d 3d 65 2e 6c 65 6e 67 74 68 29 7b 69 66 28 65 5b 30 5d 2e 68 72 65 66 29 72 65 74 75 72 6e 20 65 5b 30 5d 2e 68 72 65 66 3b 69 66 28 65 5b 30 5d 2e 73 72 63 29 72 65 74 75 72 6e 20 65 5b 30 5d 2e 73 72 63 7d 7d 72 65 74 75 72 6e 22 22 7d 28 29 3b 62 72 65 61 6b 3b 63 61 73 65 22 49 4e 50 55 54 22 3a 76 61 72 20 6e 3d 74 2e 74 79 70 65 3b 6e 26 26 7a 75 5b 6e 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 5d 26 26 28 6e 3d 73 72 28 29 7c 7c 7b 7d 2c 65 3d 74 2e 66 6f 72 6d 3f 74 2e 66 6f 72 6d 2e 61 63 74 69 6f 6e 7c 7c 6e 2e 70 61 74 68 6e 61 6d 65 7c 7c 22 22 3a 6e 2e 70 61 74 68 6e 61 6d 65 7c 7c 22 22 29 7d 72 65 74 75 72 6e 20 65 7d 28 65 29 2c 6f 3d 6c 65 28 6f 3d 74 68 69 73 2e 5f 63 6f 6e 74 65 6e 74 48 Data Ascii: u(t,Mu);if(e&&1===e.length){if(e[0].href)return e[0].href;if(e[0].src)return e[0].src}}return""}();break;case"INPUT":var n=t.type;n&&zu[n.toUpperCase()]&&(n=sr()\|\|{},e=t.form?t.form.action\|\|n.pathname\|\|"":n.pathname\|\|"")}return e}(e),o=le(o=this._contentH
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 6b 28 6e 29 7d 2c 66 2e 74 72 61 63 6b 50 61 67 65 56 69 65 77 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 49 2e 5f 72 65 63 6f 72 64 54 69 6d 65 53 70 61 6e 28 22 64 77 65 6c 6c 54 69 6d 65 22 2c 21 31 29 2c 54 2e 76 3d 30 2c 69 3d 21 31 2c 66 2e 69 64 2e 69 6e 69 74 69 61 6c 69 7a 65 49 64 73 28 29 2c 65 2e 69 64 3d 66 2e 69 64 2e 67 65 74 4c 61 73 74 50 61 67 65 56 69 65 77 49 64 28 29 2c 64 2e 73 65 6e 64 50 61 67 65 56 69 65 77 49 6e 74 65 72 6e 61 6c 28 65 2c 74 2c 72 28 65 29 29 7d 2c 66 2e 63 61 70 74 75 72 65 50 61 67 65 56 69 65 77 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 67 2e 63 61 70 74 75 72 65 50 61 67 65 56 69 65 77 28 65 2c 74 29 7d 2c 66 2e 74 72 61 63 6b 50 61 67 65 56 69 65 77 50 65 72 66 6f 72 6d 61 6e 63 65 3d 66 75 6e 63 74 69 Data Ascii: k(n)},f.trackPageView=function(e,t){I._recordTimeSpan("dwellTime",!1),T.v=0,i=!1,f.id.initializeIds(),e.id=f.id.getLastPageViewId(),d.sendPageViewInternal(e,t,r(e))},f.capturePageView=function(e,t){g.capturePageView(e,t)},f.trackPageViewPerformance=functi
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 74 75 72 6e 20 74 26 26 28 48 74 28 74 29 3f 65 3d 5b 74 5d 2e 63 6f 6e 63 61 74 28 65 29 3a 46 28 74 29 26 26 28 65 3d 74 2e 63 6f 6e 63 61 74 28 65 29 29 29 2c 65 7d 52 66 28 73 66 2c 73 66 2c 21 31 29 2c 52 66 28 74 66 2c 74 66 29 2c 52 66 28 6e 66 2c 22 43 6c 69 65 6e 74 2d 49 64 22 29 2c 52 66 28 6f 66 2c 6f 66 29 2c 52 66 28 72 66 2c 72 66 29 2c 52 66 28 61 66 2c 61 66 29 2c 52 66 28 68 63 2c 68 63 29 2c 46 66 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 48 66 3d 46 66 3b 66 75 6e 63 74 69 6f 6e 20 46 66 28 45 2c 65 2c 5f 2c 64 2c 78 29 7b 74 68 69 73 2e 5f 72 65 73 70 6f 6e 73 65 48 61 6e 64 6c 65 72 73 3d 5b 5d 3b 76 61 72 20 53 2c 4e 2c 44 2c 77 2c 41 2c 6b 2c 50 2c 4f 2c 52 2c 4d 2c 4c 3d 22 3f 63 6f 72 73 3d 74 72 75 65 26 63 6f 6e 74 65 6e 74 Data Ascii: turn t&&(Ht(t)?e=[t].concat(e):F(t)&&(e=t.concat(e))),e}Rf(sf,sf,!1),Rf(tf,tf),Rf(nf,"Client-Id"),Rf(of,of),Rf(rf,rf),Rf(af,af),Rf(hc,hc),Ff.__ieDyn=1;var Hf=Ff;function Ff(E,e,_,d,x){this._responseHandlers=[];var S,N,D,w,A,k,P,O,R,M,L="?cors=true&content
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 75 6e 63 74 69 6f 6e 28 29 7b 4c 3d 6e 75 6c 6c 2c 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 74 29 7b 61 28 31 2c 30 2c 74 29 2c 76 28 29 2c 66 75 6e 63 74 69 6f 6e 20 6e 28 65 29 7b 44 2e 69 73 43 6f 6d 70 6c 65 74 65 6c 79 49 64 6c 65 28 29 3f 65 28 29 3a 4c 3d 73 28 66 75 6e 63 74 69 6f 6e 28 29 7b 4c 3d 6e 75 6c 6c 2c 6e 28 65 29 7d 2c 2e 32 35 29 7d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 65 26 26 65 28 29 2c 30 3c 4d 2e 6c 65 6e 67 74 68 3f 4c 3d 73 28 66 75 6e 63 74 69 6f 6e 28 29 7b 4c 3d 6e 75 6c 6c 2c 72 28 4d 2e 73 68 69 66 74 28 29 2c 74 29 7d 2c 30 29 3a 28 4c 3d 6e 75 6c 6c 2c 6f 28 29 29 7d 29 7d 28 74 2c 6e 29 7d 2c 30 29 29 3a 4d 2e 70 75 73 68 28 74 29 3a 28 65 3d 63 28 29 2c 61 28 31 2c 31 2c 6e 29 2c 6e 75 6c 6c 21 3d 3d 74 26 26 74 21 3d 3d Data Ascii: unction(){L=null,function r(e,t){a(1,0,t),v(),function n(e){D.isCompletelyIdle()?e():L=s(function(){L=null,n(e)},.25)}(function(){e&&e(),0<M.length?L=s(function(){L=null,r(M.shift(),t)},0):(L=null,o())})}(t,n)},0)):M.push(t):(e=c(),a(1,1,n),null!==t&&t!==
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 72 61 63 65 43 74 78 28 29 2e 67 65 74 54 72 61 63 65 49 64 28 29 7c 7c 72 7d 2c 65 2e 67 65 74 4c 61 73 74 50 61 67 65 56 69 65 77 49 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 7d 7d 29 7d 63 70 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 75 70 3d 63 70 2c 6c 70 3d 22 64 75 72 61 74 69 6f 6e 22 2c 66 70 3d 22 70 72 6f 70 65 72 74 69 65 73 22 2c 64 70 3d 22 72 65 71 75 65 73 74 55 72 6c 22 2c 70 70 3d 22 69 6e 73 74 22 2c 67 70 3d 22 6c 65 6e 67 74 68 22 2c 68 70 3d 22 74 72 61 63 65 49 44 22 2c 76 70 3d 22 73 70 61 6e 49 44 22 2c 6d 70 3d 22 74 72 61 63 65 46 6c 61 67 73 22 2c 79 70 3d 22 63 6f 6e 74 65 78 74 22 2c 43 70 3d 22 61 62 6f 72 74 65 64 22 2c 62 70 3d 22 74 72 61 63 65 49 64 22 2c 54 70 3d 22 73 70 61 6e 49 64 22 2c 49 70 Data Ascii: raceCtx().getTraceId()\|\|r},e.getLastPageViewId=function(){return n}})}cp.__ieDyn=1;var up=cp,lp="duration",fp="properties",dp="requestUrl",pp="inst",gp="length",hp="traceID",vp="spanID",mp="traceFlags",yp="context",Cp="aborted",bp="traceId",Tp="spanId",Ip

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:29:33 UTC	551	OUT	GET /mscc/lib/v2/wcp-consent.js HTTP/1.1 Host: wcpstatic.microsoft.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-01-05 02:29:33 UTC	714	IN	HTTP/1.1 200 OK Date: Fri, 05 Jan 2024 02:29:33 GMT Content-Type: application/javascript Content-Length: 279220 Connection: close Access-Control-Allow-Origin: * Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding Age: 13270 Cache-Control: max-age=43200 Content-MD5: X1JOIM5h9UISVFS6+GfEew== Etag: 0x8DA85F6EA62BF74 Last-Modified: Wed, 24 Aug 2022 17:34:36 GMT Vary: Accept-Encoding X-Cache: CONFIG_NOCACHE x-ms-blob-type: BlockBlob x-ms-lease-status: unlocked x-ms-request-id: 0445ab9f-d01e-0042-2c60-3fb266000000 x-ms-version: 2009-09-19 x-azure-ref: 20240105T022933Z-ncp95y70ah50fcrsz4p3u6yhh80000000hg0000000003qwv Accept-Ranges: bytes
2024-01-05 02:29:33 UTC	15670	IN	Data Raw: 76 61 72 20 57 63 70 43 6f 6e 73 65 6e 74 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 7b 32 32 39 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 77 69 6e 64 6f 77 2c 65 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 61 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 69 28 6e 29 7b 69 66 28 61 5b 6e 5d 29 72 65 74 75 72 6e 20 61 5b 6e 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 6f 3d 61 5b 6e 5d 3d 7b 69 3a 6e 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 7d 7d 3b 72 65 74 75 72 6e 20 65 5b 6e 5d 2e 63 61 6c 6c 28 6f 2e 65 78 70 6f 72 74 73 2c 6f 2c 6f 2e 65 78 70 6f 72 74 73 2c 69 29 2c 6f 2e 6c 3d 21 30 2c 6f 2e 65 78 70 6f 72 74 73 7d 72 65 74 75 72 6e 20 69 2e 6d 3d 65 2c 69 2e 63 3d 61 2c 69 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 Data Ascii: var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var a={};function i(n){if(a[n])return a[n].exports;var o=a[n]={i:n,l:!1,exports:{}};return e[n].call(o.exports,o,o.exports,i),o.l=!0,o.exports}return i.m=e,i.c=a,i.d=function(e
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 65 29 7b 72 65 74 75 72 6e 20 65 3f 65 2e 72 65 70 6c 61 63 65 28 2f 26 2f 67 2c 22 26 61 6d 70 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3c 2f 67 2c 22 26 6c 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3e 2f 67 2c 22 26 67 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 22 2f 67 2c 22 26 71 75 6f 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 27 2f 67 2c 22 26 23 30 33 39 3b 22 29 3a 22 22 7d 2c 65 7d 28 29 2c 72 3d 6e 2e 6c 6f 63 61 6c 73 2c 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 65 2c 61 2c 69 2c 6e 2c 6f 2c 74 2c 72 29 7b 74 68 69 73 2e 64 69 72 65 63 74 69 6f 6e 3d 22 6c 74 72 22 2c 74 68 69 73 2e 70 72 65 76 69 6f 75 73 46 6f 63 75 73 45 6c 65 6d 65 6e 74 42 65 66 6f 72 65 50 6f 70 75 70 3d 6e 75 6c 6c 2c 74 68 69 73 2e 63 6f 6f 6b Data Ascii: e){return e?e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'"):""},e}(),r=n.locals,s=function(){function e(e,a,i,n,o,t,r){this.direction="ltr",this.previousFocusElementBeforePopup=null,this.cook
2024-01-05 02:29:33 UTC	713	IN	Data Raw: 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 2c 61 2b 3d 27 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2e 27 2b 6c 2e 63 6f 6f 6b 69 65 49 74 65 6d 52 61 64 69 6f 42 74 6e 2b 22 20 2b 20 6c 61 62 65 6c 3a 68 6f 76 65 72 3a 3a 61 66 74 65 72 20 7b 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 68 6f 76 65 72 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 2c 61 2b 3d 27 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2e 27 2b 6c 2e 63 6f 6f 6b 69 65 49 74 65 6d 52 61 64 69 6f 42 74 6e 2b 22 20 2b 20 Data Ascii: lor"]+" !important;\n }",a+='input[type="radio"].'+l.cookieItemRadioBtn+" + label:hover::after {\n background-color: "+e["radio-button-hover-background-color"]+" !important;\n }",a+='input[type="radio"].'+l.cookieItemRadioBtn+" +
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 7d 2c 65 7d 28 29 2c 64 3d 5b 22 61 72 22 2c 22 68 65 22 2c 22 70 73 22 2c 22 75 72 22 2c 22 66 61 22 2c 22 70 61 22 2c 22 73 64 22 2c 22 74 6b 22 2c 22 75 67 22 2c 22 79 69 22 2c 22 73 79 72 22 2c 22 6b 73 2d 61 72 61 62 22 5d 2c 75 3d 7b 22 63 6c 6f 73 65 2d 62 75 74 74 6f 6e 2d 63 6f 6c 6f 72 22 3a 22 23 36 36 36 36 36 36 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 6f 70 61 63 69 74 79 22 3a 22 31 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f 6e Data Ascii: background-color: "+e["radio-button-disabled-color"]+" !important;\n }"},e}(),d=["ar","he","ps","ur","fa","pa","sd","tk","ug","yi","syr","ks-arab"],u={"close-button-color":"#666666","secondary-button-disabled-opacity":"1","secondary-button
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 6f 72 74 65 64 2c 20 73 65 74 74 69 6e 67 20 63 6f 6e 73 65 6e 74 20 69 73 20 68 61 6e 64 6c 65 64 20 62 79 20 6c 69 62 72 61 72 79 22 29 7d 2c 65 2e 68 61 73 43 6f 6e 73 65 6e 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 28 29 7d 2c 65 2e 69 73 56 69 73 69 62 6c 65 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 21 21 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 77 63 70 43 6f 6e 73 65 6e 74 42 61 6e 6e 65 72 43 74 72 6c 22 29 7d 2c 65 2e 65 6d 69 74 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 61 3d 5b 5d 2c 69 3d 31 3b 69 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 69 2b 2b 29 61 5b 69 2d 31 5d 3d 61 72 67 75 6d 65 6e 74 73 5b 69 5d 3b 76 61 72 20 6e 3d 74 68 69 73 2e 65 Data Ascii: orted, setting consent is handled by library")},e.hasConsent=function(){return g()},e.isVisible=function(){return!!document.getElementById("wcpConsentBannerCtrl")},e.emit=function(e){for(var a=[],i=1;i<arguments.length;i++)a[i-1]=arguments[i];var n=this.e
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 84 d9 81 d8 a7 d8 aa 20 d8 aa d8 b9 d8 b1 d9 8a d9 81 20 d8 a7 d9 84 d8 a7 d8 b1 d8 aa d8 a8 d8 a7 d8 b7 20 d8 b9 d9 84 d9 89 20 d9 88 d8 b3 d8 a7 d8 a6 d9 84 20 d8 a7 d9 84 d8 aa d9 88 d8 a7 d8 b5 d9 84 20 d8 a7 d9 84 d8 a7 d8 ac d8 aa d9 85 d8 a7 d8 b9 d9 8a 20 d9 84 d8 b9 d8 b1 d8 b6 20 d8 a7 d9 84 d8 a5 d8 b9 d9 84 d8 a7 d9 86 d8 a7 d8 aa 20 d9 88 d8 a7 d9 84 d9 85 d8 ad d8 aa d9 88 d9 89 20 d8 a7 d8 b3 d8 aa d9 86 d8 a7 d8 af d9 8b d8 a7 20 d8 a5 d9 84 d9 89 20 d9 85 d9 84 d9 81 d8 a7 d8 aa 20 d8 aa d8 b9 d8 b1 d9 8a d9 81 d9 83 20 d8 b9 d9 84 d9 89 20 d9 88 d8 b3 d8 a7 d8 a6 d9 84 20 d8 a7 d9 84 d8 aa d9 88 d8 a7 d8 b5 d9 84 20 d8 a7 d9 84 d8 a7 d8 ac d8 aa d9 85 d8 a7 d8 b9 d9 8a 20 d9 88 d8 a7 d9 84 d9 86 d8 b4 d8 a7 d8 b7 20 d8 b9 d9 84 d9 89 20 Data Ascii:
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 80 d1 81 d0 be d0 bd d0 b0 d0 bb d0 b8 d0 b7 d0 b8 d1 80 d0 b0 d0 bd d0 b0 20 d1 80 d0 b5 d0 ba d0 bb d0 b0 d0 bc d0 b0 20 d0 b2 d1 8a d0 b7 20 d0 be d1 81 d0 bd d0 be d0 b2 d0 b0 20 d0 bd d0 b0 20 d0 b2 d0 b0 d1 88 d0 b0 d1 82 d0 b0 20 d0 be d0 bd d0 bb d0 b0 d0 b9 d0 bd 20 d0 b0 d0 ba d1 82 d0 b8 d0 b2 d0 bd d0 be d1 81 d1 82 2e 20 d0 90 d0 ba d0 be 20 d0 be d1 82 d1 85 d0 b2 d1 8a d1 80 d0 bb d0 b8 d1 82 d0 b5 20 d0 be d0 bf d1 86 d0 b8 d0 be d0 bd d0 b0 d0 bb d0 bd d0 b8 d1 82 d0 b5 20 d0 b1 d0 b8 d1 81 d0 ba d0 b2 d0 b8 d1 82 d0 ba d0 b8 2c 20 d1 89 d0 b5 20 d1 81 d0 b5 20 d0 b8 d0 b7 d0 bf d0 be d0 bb d0 b7 d0 b2 d0 b0 d1 82 20 d1 81 d0 b0 d0 bc d0 be 20 d0 b1 d0 b8 d1 81 d0 ba d0 b2 d0 b8 d1 82 d0 ba d0 b8 2c 20 d0 ba d0 be d0 b8 d1 82 d0 be 20 d1 Data Ascii: . , ,
2024-01-05 02:29:33 UTC	1024	IN	Data Raw: 69 65 20 70 72 6f 20 73 6f 63 69 c3 a1 6c 6e c3 ad 20 73 c3 ad 74 c4 9b 20 70 6f 75 c5 be c3 ad 76 c3 a1 6d 65 20 73 70 6f 6c 75 20 73 20 74 c5 99 65 74 c3 ad 6d 69 20 73 74 72 61 6e 61 6d 69 20 6b 20 7a 6f 62 72 61 7a 6f 76 c3 a1 6e c3 ad 20 72 65 6b 6c 61 6d 20 61 20 6f 62 73 61 68 75 20 6e 61 20 7a c3 a1 6b 6c 61 64 c4 9b 20 76 61 c5 a1 69 63 68 20 70 72 6f 66 69 6c c5 af 20 6e 61 20 73 6f 63 69 c3 a1 6c 6e c3 ad 63 68 20 73 c3 ad 74 c3 ad 63 68 20 61 20 61 6b 74 69 76 69 74 20 6e 61 20 6e 61 c5 a1 69 63 68 20 77 65 62 65 63 68 2e 20 53 6c 6f 75 c5 be c3 ad 20 6b 20 70 72 6f 70 6f 6a 65 6e c3 ad 20 76 61 c5 a1 c3 ad 20 61 6b 74 69 76 69 74 79 20 6e 61 20 6e 61 c5 a1 69 63 68 20 77 65 62 65 63 68 20 73 20 70 72 6f 66 69 6c 79 20 6e 61 20 73 6f 63 69 c3 Data Ascii: ie pro sociln st pouvme spolu s tetmi stranami k zobrazovn reklam a obsahu na zklad vaich profil na socilnch stch a aktivit na naich webech. Slou k propojen va aktivity na naich webech s profily na soci
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: 69 27 6e 20 64 65 66 6e 79 64 64 69 6f 20 62 72 69 77 73 69 6f 6e 20 69 20 77 65 6c 6c 61 27 63 68 20 70 72 6f 66 69 61 64 20 61 72 20 65 69 6e 20 67 77 65 66 61 6e 6e 61 75 20 61 72 20 67 79 66 65 72 20 68 79 73 62 79 73 65 62 75 2e 20 3c 61 20 74 61 72 67 65 74 3d 27 5f 62 6c 61 6e 6b 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 67 6f 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e 6b 2f 3f 4c 69 6e 6b 49 64 3d 35 32 31 38 33 39 27 3e 44 61 74 67 61 6e 69 61 64 20 50 72 65 69 66 61 74 72 77 79 64 64 3c 2f 61 3e 22 2c 61 63 63 65 70 74 41 6c 6c 4c 61 62 65 6c 3a 22 44 65 72 62 79 6e 22 2c 72 65 6a 65 63 74 41 6c 6c 4c 61 62 65 6c 3a 22 47 77 72 74 68 6f 64 22 2c 6d 6f 72 65 49 6e 66 6f 4c 61 62 65 6c 3a 22 52 68 65 6f 6c 69 20 62 72 69 77 Data Ascii: i'n defnyddio briwsion i wella'ch profiad ar ein gwefannau ar gyfer hysbysebu. <a target='_blank' href='https://go.microsoft.com/fwlink/?LinkId=521839'>Datganiad Preifatrwydd</a>",acceptAllLabel:"Derbyn",rejectAllLabel:"Gwrthod",moreInfoLabel:"Rheoli briw
2024-01-05 02:29:33 UTC	16384	IN	Data Raw: cf 84 ce b9 ce ba ce b1 cf 84 ce bf cf 80 cf 84 cf 81 ce af ce b6 ce bf cf 85 ce bd 20 ce ba ce b1 ce bb cf 8d cf 84 ce b5 cf 81 ce b1 20 cf 84 ce b1 20 ce b5 ce bd ce b4 ce b9 ce b1 cf 86 ce ad cf 81 ce bf ce bd cf 84 ce ac 20 cf 83 ce b1 cf 82 2e 22 7d 2c 7b 69 64 3a 22 63 33 22 2c 6e 61 6d 65 3a 22 43 6f 6f 6b 69 65 20 ce b4 ce b9 ce b1 cf 86 ce b7 ce bc ce af cf 83 ce b5 cf 89 ce bd 22 2c 64 65 73 63 3a 22 ce 95 ce bc ce b5 ce af cf 82 2c 20 ce ba ce b1 ce b8 cf 8e cf 82 20 ce ba ce b1 ce b9 20 cf 84 cf 81 ce af cf 84 ce b1 20 ce bc ce ad cf 81 ce b7 2c 20 cf 87 cf 81 ce b7 cf 83 ce b9 ce bc ce bf cf 80 ce bf ce b9 ce bf cf 8d ce bc ce b5 20 63 6f 6f 6b 69 65 20 ce b4 ce b9 ce b1 cf 86 ce b7 ce bc ce af cf 83 ce b5 cf 89 ce bd 20 ce ba ce b1 ce b9 20 Data Ascii: ."},{id:"c3",name:"Cookie ",desc:", , cookie

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:29:35 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-01-05 02:29:35 UTC	533	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus2-z1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-MSEdge-Ref: Ref A: EBAA5EB4F8314AE9868BD97CD6EDC6C5 Ref B: PAOEDGE0606 Ref C: 2024-01-04T23:40:21Z Cache-Control: public, max-age=249011 Date: Fri, 05 Jan 2024 02:29:35 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:29:36 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-01-05 02:29:36 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0tRYRYwAAAAB+m19QWmzDRKgUYMFKn7LkU0pDRURHRTA1MDYAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=248732 Date: Fri, 05 Jan 2024 02:29:36 GMT Content-Length: 55 Connection: close X-CID: 2
2024-01-05 02:29:36 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:29:43 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bwRtW6N881YGmLR&MD=aOu5faNG HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-01-05 02:29:43 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 413bbe8c-4f91-4e99-a362-cac5984f0845 MS-RequestId: 9592dd9a-6b0c-420a-ad95-d710a56171ae MS-CV: bJOUMuvbOEGqGsz1.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 05 Jan 2024 02:29:42 GMT Connection: close Content-Length: 24490
2024-01-05 02:29:43 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-01-05 02:29:43 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:29:43 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2483 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1704421751788&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-01-05 02:29:43 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-01-05 02:29:43 UTC	2482	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-01-05 02:29:43 UTC	476	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 116BE13E2AAA4BCDA1478E6AA892D05C Ref B: BY3EDGE0312 Ref C: 2024-01-05T02:29:43Z Date: Fri, 05 Jan 2024 02:29:43 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1704421783.94851dce

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:30:20 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bwRtW6N881YGmLR&MD=aOu5faNG HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-01-05 02:30:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 5e89564f-514b-4e55-b028-f093998e6287 MS-RequestId: c1a5cac0-6723-477f-85e3-ec40d063b7a0 MS-CV: DPVDm6anDUKDVHvs.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 05 Jan 2024 02:30:20 GMT Connection: close Content-Length: 25457
2024-01-05 02:30:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-01-05 02:30:21 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Timestamp	Bytes transferred	Direction	Data
2024-01-05 02:30:59 UTC	449	OUT	GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000040896C04EA HTTP/1.1 Host: clients1.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br
2024-01-05 02:31:00 UTC	817	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-0T3Ko_5_-ZoNL1T7gBuC9w' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Security-Policy: script-src 'report-sample' 'nonce-lg48q2xHEIWEniEL7Jhdzg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Type: text/plain; charset=utf-8 Content-Length: 220 Date: Fri, 05 Jan 2024 02:31:00 GMT Expires: Fri, 05 Jan 2024 02:31:00 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-01-05 02:31:00 UTC	220	IN	Data Raw: 72 6c 7a 43 31 3a 20 31 43 31 4f 4e 47 52 5f 65 6e 47 42 31 30 39 31 0a 72 6c 7a 43 32 3a 20 31 43 32 4f 4e 47 52 5f 65 6e 47 42 31 30 39 31 0a 72 6c 7a 43 37 3a 20 31 43 37 4f 4e 47 52 5f 65 6e 47 42 31 30 39 31 0a 64 63 63 3a 20 0a 73 65 74 5f 64 63 63 3a 20 43 31 3a 31 43 31 4f 4e 47 52 5f 65 6e 47 42 31 30 39 31 2c 43 32 3a 31 43 32 4f 4e 47 52 5f 65 6e 47 42 31 30 39 31 2c 43 37 3a 31 43 37 4f 4e 47 52 5f 65 6e 47 42 31 30 39 31 0a 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 2c 43 31 53 2c 43 37 53 0a 73 74 61 74 65 66 75 6c 2d 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 0a 63 72 63 33 32 3a 20 65 63 33 33 62 66 35 33 0a Data Ascii: rlzC1: 1C1ONGR_enGB1091rlzC2: 1C2ONGR_enGB1091rlzC7: 1C7ONGR_enGB1091dcc: set_dcc: C1:1C1ONGR_enGB1091,C2:1C2ONGR_enGB1091,C7:1C7ONGR_enGB1091events: C1I,C2I,C7I,C1S,C7Sstateful-events: C1I,C2I,C7Icrc32: ec33bf53

Target ID:	0
Start time:	03:29:23
Start date:	05/01/2024
Path:	C:\Users\user\Desktop\Renewal.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Renewal.exe
Imagebase:	0xcd0000
File size:	12'800 bytes
MD5 hash:	E7457FC1FECAC4151A1D49B54CF3ACD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	03:29:28
Start date:	05/01/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	03:29:29
Start date:	05/01/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2364,i,3433059245063578953,17793063878387418449,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	03:29:31
Start date:	05/01/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Renewal.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Renewal.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 108

Chrome Cache Entry: 109

Chrome Cache Entry: 110

Chrome Cache Entry: 111

Chrome Cache Entry: 112

Chrome Cache Entry: 113

Chrome Cache Entry: 114

Chrome Cache Entry: 115

Chrome Cache Entry: 116

Chrome Cache Entry: 117

Chrome Cache Entry: 118

Chrome Cache Entry: 119

Chrome Cache Entry: 120

Windows Analysis Report
Renewal.exe

Target ID:	6
Start time:	03:29:32
Start date:	05/01/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2028,i,5267686039598994631,3060138403470109992,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre