Edit tour

Windows Analysis Report
https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA

Overview

General Information

Sample URL:	https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA
Analysis ID:	1334337
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Stores files to the Windows start menu directory

Found iframes

HTML title does not match URL

Creates files inside the system directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6064 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4444 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1928,i,1617931672732729168,8726956104796720465,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

• Phishing
• Compliance
• Networking
• System Summary
• Boot Survival

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: Iframe src: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: Iframe src: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: Iframe src: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US

Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2

HTTP Parser: Title: OneDrive does not match URL

HTTP Parser: <input type="password" .../> found

Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: No <meta name="author".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: No <meta name="author".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: No <meta name="author".. found

Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: No <meta name="copyright".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: No <meta name="copyright".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1698678765&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2F%3Fv%3Dupgrade%26hideLeftNav%3Dtrue%26ocid%3Dcmmals8zpma%26CLRTags%3Dc_udf~%24~Mod1-CTA1~%24%24~c_cmp~%24~EmailCTA~%24%24~c_type~%24~CTAButton~%24%24~c_pos~%24~4A_~_CLRTags_~_%26ocid%3D%26mkt%3Den-US&lc=1033&id=250206&cbcxt=sky&mkt=en-US&lw=1&fl=easi2	HTTP Parser: No <meta name="copyright".. found

Source: unknown

HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49758 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49769 version: TLS 1.2

Source: unknown

HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49758 version: TLS 1.0

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 8.253.132.121
Source: unknown	TCP traffic detected without corresponding DNS query: 8.253.132.121
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.21.200
Source: unknown	TCP traffic detected without corresponding DNS query: 8.253.132.121
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 8.253.132.121

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v21033_sKiljltKC1Ne_Y3fl1HuHQ2.css HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/ConvergedLoginPaginatedStrings.en_RrzHhfd8MjAVzwXCMGp2tg2.js HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://login.live.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/ConvergedLogin_PCore_urbQc-Ts4Q7YxRZBQfZFVg2.js HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://login.live.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/documentation_dae218aac2d25462ae286ceba8d80ce2.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/documentation_dae218aac2d25462ae286ceba8d80ce2.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /16.000.29975.7/images/favicon.ico HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /16.000.29975.7/images/favicon.ico HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=8+6Rz8sGbdwtOBY&MD=dfrD7cwc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80068676fe.gif HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323.gif HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80068676fe.gif HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323.gif HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=8+6Rz8sGbdwtOBY&MD=dfrD7cwc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=0000000000000000000000000000000000000000A347A13BAC HTTP/1.1Host: clients1.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/asyncchunk/convergedlogin_premotengc_a5b6131ee9623666c88b.js HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_43280e0ba671a1d8b5e34f1931c4fe4b.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/authenticatorinfo_290fd17f1406cfd103aae90b3655e4b3.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/authenticatorinfo_af86c170035c221b8157ec3a86e6d163.gif HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://login.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_43280e0ba671a1d8b5e34f1931c4fe4b.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/authenticatorinfo_290fd17f1406cfd103aae90b3655e4b3.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/authenticatorinfo_af86c170035c221b8157ec3a86e6d163.gif HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2023-10-06-09; NID=511=LtGInZ4I4WDrCvCHQBVMHOy4a-sqzpSrMO-Rwr8ezStTz_kfoi2bri7uGdXfNvskAEO_Tj5Jkwl0XSN-qA6MYiGShcDB_vNQOl1bpl3aua7gMrDRvWsHLpAuFBlBnNxTMeen95XElzx3r4myG8p8sgSHdx4NBawYGaI5oFn_dZ8

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49769 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_6064_730734380

Jump to behavior

Source: classification engine

Classification label: clean2.win@14/35@14/8

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1928,i,1617931672732729168,8726956104796720465,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1928,i,1617931672732729168,8726956104796720465,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Drive-by Compromise	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
accounts.google.com	172.253.122.84	true	false	high
sni1gl.wpc.alphacdn.net	152.195.19.97	true	false	unknown
cs1227.wpc.alphacdn.net	192.229.211.199	true	false	unknown
www.google.com	172.253.115.147	true	false	high
part-0012.t-0009.t-msedge.net	13.107.213.40	true	false	unknown
clients.l.google.com	142.251.111.138	true	false	high
clients1.google.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high
onedrive.live.com	unknown	unknown	false	high
logincdn.msftauth.net	unknown	unknown	false	unknown
acctcdn.msftauth.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false	high
https://clients1.google.com/tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=0000000000000000000000000000000000000000A347A13BAC	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.40	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.253.122.84	accounts.google.com	United States	15169	GOOGLEUS	false
142.251.111.138	clients.l.google.com	United States	15169	GOOGLEUS	false
172.253.63.113	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.253.115.147	www.google.com	United States	15169	GOOGLEUS	false
13.107.213.40	part-0012.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1334337
Start date and time:	2023-10-30 16:12:13 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.win@14/35@14/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 142.251.163.94, 20.97.219.252, 13.107.42.13, 34.104.35.123, 20.190.190.129, 40.126.62.131, 20.190.190.194, 20.190.190.131, 40.126.62.129, 20.190.190.132, 20.190.190.196, 20.190.190.193, 142.251.167.95, 142.250.31.95, 142.251.111.95, 172.253.115.95, 172.253.122.95, 142.251.163.95, 172.253.62.95, 172.253.63.95, 142.251.16.95, 23.216.132.41, 23.216.132.37, 23.216.132.43, 23.216.132.7, 23.216.132.38, 23.216.132.6, 23.216.132.33, 23.216.132.40, 23.216.132.31, 23.196.185.218, 23.44.237.184, 23.44.237.179, 23.44.237.216, 23.44.237.224, 23.44.237.217, 23.44.237.176, 23.44.237.152, 23.44.237.227, 23.54.69.215, 23.216.132.12, 23.216.132.17, 23.216.132.24, 23.216.132.21, 23.216.132.23, 23.216.132.13, 23.216.132.22, 23.216.132.14, 23.216.132.20, 192.229.211.108, 72.21.81.240, 20.190.190.195, 40.126.62.130, 20.190.190.130, 40.126.62.132, 23.44.237.193, 23.44.237.203, 23.44.237.178, 23.44.237.177, 23.44.237.195, 23.44.237.169, 23.200.88.26, 23.200.88.29, 23.200.88.24, 23.200.88.30,
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 30 14:12:45 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9883441241686493
Encrypted:	false
SSDEEP:	48:8kdpTx+EwHW2idAKZdA1FehwiZUklqehJy+3:8uz6Cy
MD5:	7CE413D696436BDA036AD01A9C318C7C
SHA1:	4BBD392EC1B0D97E69B982D5CB00DEBEBDD72330
SHA-256:	7646183F2B6CBC490332E2EFC964142211CA395463A29A965840175F74677465
SHA-512:	3C2E5189799CDDDEF2DF3A7E74519D42BEA79EBE37F59BED61FEE29FAB3808B95D81CDAA4734349CB4A4469D044CDC65208A126035EC2741CF90D436899BCFD0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......u.C...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I^W.y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^W.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V^W.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V^W.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V^W.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........;.G......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2023 16:12:44.528906107 CET	59613	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:44.529031038 CET	52038	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:44.529501915 CET	56958	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:44.529742956 CET	55830	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:44.607923031 CET	53	53901	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:44.622453928 CET	53	59613	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:44.622848988 CET	53	56958	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:44.623578072 CET	53	52038	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:44.624087095 CET	53	55830	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:45.117388010 CET	56853	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:45.117532015 CET	54302	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:45.325258017 CET	53	53943	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:46.896588087 CET	52558	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:46.896720886 CET	49675	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:47.004697084 CET	52795	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:47.005100012 CET	54103	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:48.901582956 CET	61523	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:48.901638031 CET	54025	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:12:48.995987892 CET	53	61523	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:48.996049881 CET	53	54025	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:49.347472906 CET	53	53391	1.1.1.1	192.168.2.16
Oct 30, 2023 16:12:51.815613985 CET	138	138	192.168.2.16	192.168.2.255
Oct 30, 2023 16:13:02.300226927 CET	53	60615	1.1.1.1	192.168.2.16
Oct 30, 2023 16:13:21.131098032 CET	53	64045	1.1.1.1	192.168.2.16
Oct 30, 2023 16:13:43.733794928 CET	53	51107	1.1.1.1	192.168.2.16
Oct 30, 2023 16:13:44.276549101 CET	53	64982	1.1.1.1	192.168.2.16
Oct 30, 2023 16:14:12.935116053 CET	53	63484	1.1.1.1	192.168.2.16
Oct 30, 2023 16:14:13.912218094 CET	62034	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:14:13.912439108 CET	61087	53	192.168.2.16	1.1.1.1
Oct 30, 2023 16:14:14.006387949 CET	53	62034	1.1.1.1	192.168.2.16
Oct 30, 2023 16:14:14.007044077 CET	53	61087	1.1.1.1	192.168.2.16

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:44 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2023-10-06-09; NID=511=LtGInZ4I4WDrCvCHQBVMHOy4a-sqzpSrMO-Rwr8ezStTz_kfoi2bri7uGdXfNvskAEO_Tj5Jkwl0XSN-qA6MYiGShcDB_vNQOl1bpl3aua7gMrDRvWsHLpAuFBlBnNxTMeen95XElzx3r4myG8p8sgSHdx4NBawYGaI5oFn_dZ8
2023-10-30 15:12:44 UTC	0	OUT	Data Raw: 20 Data Ascii:

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:49 UTC	151	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:12:48 GMT Content-Type: application/x-javascript Content-Length: 61052 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Thu, 25 May 2023 17:33:39 GMT ETag: 0x8DB5D462D49A834 x-ms-request-id: c61bd588-f01e-0028-404e-09fe51000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151248Z-08dsct92fh04t26mz0gchup9x4000000019g000000026p4a X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:12:49 UTC	152	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 cc bd 69 77 db 46 b2 30 fc fd fe 0a 0a 27 57 03 8c da 34 29 2f 71 48 23 bc b2 44 db 4c b4 45 4b 9c 8c ac d1 81 c8 96 04 9b 04 18 00 94 ac 91 f8 df 9f aa ea 1d 04 28 29 c9 7d ef 7b 12 8b 40 a3 7a af ae ae ae ae c5 bf 89 93 51 7a d3 2c f8 98 4f 78 91 dd 9e dd f0 f3 69 34 fc fa 53 9e 26 d3 70 e9 d7 fb fb 93 d3 a0 39 9d e5 57 fe c9 c9 fa 29 3b 61 8c 5d cc 92 61 11 a7 89 cf 59 c1 92 e0 ce 9b e5 bc 91 17 59 3c 2c bc 6e d2 cc fc 22 60 49 73 e4 17 cc fb 35 1a cf f8 cf 50 81 c7 7c 9d 2d b8 cb 78 31 cb 92 46 d6 e4 f3 40 c3 f6 af 79 52 6c 47 05 4f 86 b7 35 e0 51 19 7c 9f 67 79 9c 63 16 5e 93 e5 dc ca 72 94 45 43 be cd af f9 b8 06 78 64 01 6f 4c a7 83 24 8f 2f af 8a 7c 33 cd aa 8b 8f 9d 16 bd 8b 72 5e 0b 6a 17 7d d6 ff 06 4d 1e f1 d1 20 Data Ascii: iwF0'W4)/qH#DLEK()}{@zQz,Oxi4S&p9W);a]aYY<,n"`Is5P\|-x1F@yRlGO5Q\|gyc^rECxdoL$/\|3r^j}M
2023-10-30 15:12:49 UTC	167	IN	Data Raw: 55 f7 1d da c5 86 b6 4e 3c e4 1f ba 37 9b b7 b5 c3 23 d4 c8 84 ec 45 b0 c9 37 15 f4 52 19 68 52 db 84 ba 3a 93 b3 c0 d0 32 cd 34 96 c5 e1 77 a8 86 82 5b a0 e4 0c 44 e8 9f fe b7 62 f3 e2 12 ef cd f4 45 86 1d 76 a9 ca dd 36 79 da 4e 84 b4 06 0b 02 f6 93 7c 32 6b 9e 1f 01 48 1d b9 b0 1d 0e 45 73 ff 0a 48 49 e1 df 50 90 3f 40 e9 4f 5c e1 0c 8a 9e 20 e1 3d f7 f7 d8 4d ad e8 59 f6 8d fc 90 12 fc 6f ee 36 ee 97 d9 84 b2 55 80 c3 3d dc ed cb 9b 20 58 b6 fb e2 12 a8 93 cc bb ce 09 d9 17 b7 1b 9e c3 3b 01 49 81 06 e2 8a cd c8 00 2b 23 63 ac 8c 91 a8 99 6f 92 81 56 7b 8e f7 8d b2 42 9c 4a 97 0c 0b bf 45 f5 d2 62 f4 5e b0 ec 3b b3 a4 63 b8 24 72 e0 05 15 1f 7d e2 3d 3f 37 19 0f e3 4b d8 f3 0f 9e 7b cc 7b 7e 76 66 7d 78 ee 9d 76 eb 97 a7 83 a6 50 c3 0c 85 77 da 6d 7b Data Ascii: UN<7#E7RhR:24w[DbEv6yN\|2kHEsHIP?@O\ =MYo6U= X;I+#coV{BJEb^;c$r}=?7K{{~vf}xvPwm{
2023-10-30 15:12:49 UTC	183	IN	Data Raw: 84 51 29 6d 4a 14 bb 22 63 6f 55 2c 47 e7 05 5d 5b 13 bf a6 ac 26 93 2d 98 72 a5 b7 e5 5a dc 5a c8 41 d4 fd e4 3e 1d 71 da 8f 3c 15 aa a8 02 27 5f eb 0a 69 e7 9e 8a 73 ab 65 64 09 18 b0 07 f0 47 1a e5 af 1f a1 b3 aa 6f 4a be 45 d8 0b 7b 11 7c 72 79 14 0f bd 57 cd 6e 76 d1 ec b5 e1 b3 8d 9d 95 66 c2 ca 10 cd 0f a3 7c 90 c5 ac c9 5a ae fa 7f c2 e6 88 97 22 c9 e1 52 b2 22 5d 8a f0 0f 96 12 40 d3 a5 e8 7c be 94 98 1b 2d 25 d5 4c 26 46 3d 61 3a 5c 4a 00 f5 97 a2 e2 77 4b d1 f9 c9 52 72 ef 6a 29 b9 77 6c 21 fc db 40 f8 5d c6 fc 1b 37 be c9 6d fc 7a 4e 9b e8 e0 a1 68 5f 34 7d d6 b3 76 7a fe 9b e8 2e 1e 44 9c d8 a2 fa f9 8d 92 11 d2 4d a4 6e 0a 47 ef 48 fc 1c f5 39 69 8b 0e 7f d4 a7 84 bd c9 84 13 b6 7d e8 5d 53 c2 f1 29 bf ef 10 a1 8e 78 15 a7 c3 1b 7e df 25 92 Data Ascii: Q)mJ"coU,G][&-rZZA>q<'_isedGoJE{\|ryWnvf\|Z"R"]@\|-%L&F=a:\JwKRrj)wl!@]7mzNh_4}vz.DMnGH9i}]S)x~%
2023-10-30 15:12:49 UTC	199	IN	Data Raw: 68 19 58 60 f5 1f 5e bb c3 54 de 2e 80 82 4f c9 76 ef a4 d4 b5 72 0a ee 68 55 55 91 83 40 67 5f dc f5 4a 1c f6 94 3e 3d 7d 79 a0 3e 39 55 07 e7 28 38 b8 38 65 d6 f5 5b 91 70 12 1c 69 47 2b 47 a6 a3 95 0e 6d 81 13 58 fc 26 42 bf 8e 1d ad 38 fe 3e ed 53 99 91 95 ee 68 64 66 52 9b 89 03 08 8d 1b 82 51 74 a5 1c f1 3a ed 15 45 74 3b 29 5e 35 bb d6 fb fa 7a db 7a 27 1a 93 ee 23 3d 44 bf 15 6d ad 43 c0 d2 64 91 ac 81 29 f3 92 ec 05 5f 59 d7 da da 65 be a6 3f da b7 38 0a be 24 da e8 8d 01 b8 41 ae b4 0b ff d2 ba a5 24 85 d5 3e 9e 97 b0 f2 d1 73 cf a0 45 b4 57 a1 27 69 f7 9e 79 d0 2d 71 2f 29 4f 51 86 ce 20 a4 8e 6f 80 45 9c a5 63 47 7c 28 33 2f 2a 99 bd c0 49 d2 0d 4e f3 57 e8 09 fe a7 c0 ae b2 eb 33 99 cd d5 ea cc 3c aa ed 69 d6 b3 94 2f de 08 0d 1e c2 a4 5c db Data Ascii: hX`^T.OvrhUU@g_J>=}y>9U(88e[piG+GmX&B8>ShdfRQt:Et;)^5zz'#=DmCd)_Ye?8$A$>sEW'iy-q/)OQ oEcG\|(3/*INW3<i/\

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:45 UTC	1	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Oct 2023 15:12:45 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-IzZFOtYOEtxCMiW5drjYfw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-10-30 15:12:45 UTC	3	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-10-30 15:12:45 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:50 UTC	222	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:12:50 GMT Content-Type: image/svg+xml Content-Length: 673 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:22:46 GMT ETag: 0x8DB5C40D14F1C27 x-ms-request-id: 3c1dbce8-501e-008a-2fd4-0a6e33000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151250Z-7dwgzauw7t38z9bkeuttxh51bg00000000w000000002cymu X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:12:50 UTC	223	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 b5 55 db 6e db 30 0c fd 15 c1 7d 69 1e ac 50 b2 ae 43 1c a0 37 6c 2f c3 0a 64 fd 80 d4 b1 13 03 ae 1d d8 6e d3 f6 eb 47 ca f6 96 0c 79 6c 10 20 e6 91 45 f2 f0 98 94 16 dd db 96 bd bf 54 75 97 46 bb be df 7f 9b cf 0f 87 03 3f 24 bc 69 b7 73 09 00 73 dc 11 b1 43 b9 e9 77 69 24 bc 84 88 ed f2 72 bb eb 11 81 43 54 94 55 95 46 75 53 e7 d1 72 b1 65 cd 7e 9d 95 fd 47 1a 71 19 b1 ac 2a f7 f1 7e 4d ae af 6d 75 7d f5 30 c3 3d 84 d9 26 8d 7e 0a 65 0c 57 4c 58 af b9 cc bc 06 9e 58 06 88 25 70 17 1b 69 b9 96 13 12 0a 04 37 2b a9 84 e1 d6 c6 02 c0 b1 c1 3f d8 b1 d4 0a cd c4 01 57 4e 0e 88 25 3e e1 a6 b3 16 d7 24 ed a6 08 63 bc 11 7d 4e f4 03 bb 9b 59 34 3f a2 97 78 c5 31 bf 13 9a 9b cc 2a c3 b5 23 76 89 16 c8 47 61 6c 39 01 21 02 39 81 41 Data Ascii: Un0}iPC7l/dnGyl ETuF?$issCwi$rCTUFuSre~Gq~Mmu}0=&~eWLXX%pi7+?WN%>$c}NY4?x1#vGal9!9A

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:45 UTC	3	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-_Jzn2x1wIAHdEAMuK7fjrw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Oct 2023 15:12:45 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6146 X-Daystart: 29565 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-10-30 15:12:45 UTC	3	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 34 36 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 39 35 36 35 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6146" elapsed_seconds="29565"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-10-30 15:12:45 UTC	4	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-10-30 15:12:45 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:51 UTC	246	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:12:51 GMT Content-Type: image/x-icon Content-Length: 17174 Connection: close Cache-Control: public, max-age=31536000 Last-Modified: Fri, 20 Oct 2023 01:40:54 GMT ETag: 0x8DBD10D998E774C x-ms-request-id: 1d25c9ea-d01e-007e-1e10-09676e000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151251Z-n7nhm6whc5035a54e6ugchwz78000000013000000000nssn X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:12:51 UTC	247	IN	Data Raw: 00 00 01 00 06 00 80 80 10 00 00 00 00 00 68 28 00 00 66 00 00 00 48 48 10 00 00 00 00 00 e8 0d 00 00 ce 28 00 00 30 30 10 00 00 00 00 00 68 06 00 00 b6 36 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 1e 3d 00 00 18 18 10 00 00 00 00 00 e8 01 00 00 06 40 00 00 10 10 10 00 00 00 00 00 28 01 00 00 ee 41 00 00 28 00 00 00 80 00 00 00 00 01 00 00 01 00 04 00 00 00 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ef a4 00 00 00 b9 ff 00 00 ba 7f 00 22 50 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 20 00 00 03 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 Data Ascii: h(fHH(00h6 =@(A(("P"""""""""""""""""""""""""""""" 333333333333333
2023-10-30 15:12:51 UTC	262	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ef a4 00 00 00 b9 ff 00 00 bc 7b 00 1f 4c f9 00 22 50 f2 00 f7 a6 00 00 00 ba 7f 00 f3 a6 00 00 1e 4e f6 00 23 4e f4 00 f3 a4 00 00 00 bc 7d 00 00 ba 7d 00 00 00 00 00 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 Data Ascii: {L"PN#N}}"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:56 UTC	264	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=8+6Rz8sGbdwtOBY&MD=dfrD7cwc HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-10-30 15:12:56 UTC	264	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b659e8f6-8d78-40be-a6c9-9efcc538153a MS-RequestId: f851f15d-9f61-4a45-9ef9-1685b85f5282 MS-CV: WQ9RpY3xfUq5DAHo.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Oct 2023 15:12:56 GMT Connection: close Content-Length: 24490
2023-10-30 15:12:56 UTC	265	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2023-10-30 15:12:56 UTC	280	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:56 UTC	288	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A4109009A83 X-BM-CBT: 1696585056 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E,FX:2C89765 X-Device-ClientSession: 8B0BADD9680C444587B50653454AB647 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A4109009A83 X-MSEdge-ExternalExp: bfbscope1003t3,bfbwsbpphmemqcf,bfbwsbrs0830cf,d-thshld78,d-thshldspcl40,disfbcthas2_1,fliptrat6,spofglclicksh-c2,wsbqfasmsall_c,wsbref-c X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 608 Connection: Keep-Alive Cache-Control: no-cache Cookie: SRCHUID=V=2&GUID=1365D4FE3DA84D19A46408EFC15FC823&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231006; SRCHHPGUSR=SRCHLANG=en&HV=1696584863&IPMH=5e4190f4&IPMID=1696585056345&LUT=1696585056224; CortanaAppUID=646BA1FF24F806DFED4199E1E0EFF63E; MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=1F9344FA7B5C6D050D8557587A606C51&CPID=1696585056799&AC=1&CPH=074c06b2&CBV=39996767; _EDGE_S=SID=1F9344FA7B5C6D050D8557587A606C51; MUIDB=5047E5942BB2460EA35B53CCF78DDB3D
2023-10-30 15:12:56 UTC	291	OUT	Data Raw: 3c Data Ascii: <
2023-10-30 15:12:56 UTC	291	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 35 30 34 37 45 35 39 34 32 42 42 32 34 36 30 45 41 33 35 42 35 33 43 43 46 37 38 44 44 42 33 44 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 36 34 38 31 41 46 33 32 31 31 46 30 34 33 44 41 39 30 30 39 46 46 31 30 39 32 45 43 36 45 36 46 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>5047E5942BB2460EA35B53CCF78DDB3D</CID><Events><E><T>Event.ClientInst</T><IG>6481AF3211F043DA9009FF1092EC6E6F</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2023-10-30 15:12:56 UTC	291	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 0240554266F94A7FAFE69AA81E46030B Ref B: LAX311000108047 Ref C: 2023-10-30T15:12:56Z Date: Mon, 30 Oct 2023 15:12:56 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.15ed0117.1698678776.30fff23

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:13:02 UTC	292	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:13:02 GMT Content-Type: image/gif Content-Length: 2672 Connection: close Cache-Control: public, max-age=31536000 Last-Modified: Wed, 24 May 2023 10:22:50 GMT ETag: 0x8DB5C40D3D59111 x-ms-request-id: d910cff1-801e-008f-5921-0ae939000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151302Z-r6sqqzwrhp64z9sm9x7tywzv1n00000001k000000002qef0 X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:13:02 UTC	293	IN	Data Raw: 47 49 46 38 39 61 60 01 03 00 f0 00 00 ff ff ff 96 96 96 21 ff 0b 4e 45 54 53 43 41 50 45 32 2e 30 03 01 00 00 00 21 f9 04 09 05 00 00 00 2c 00 00 00 00 60 01 03 00 00 02 36 84 1d a9 b7 07 ed 50 8a 6c d2 8b b3 de bc fb 0f 86 e2 48 96 e6 89 a2 0a 04 49 01 d6 3a 71 4a d7 f6 8d e7 fa ce 6b ab f5 00 ba 60 42 59 b1 87 4c 2a 97 cc 26 af 00 00 21 f9 04 09 05 00 00 00 2c 06 00 00 00 30 00 03 00 00 02 1a 8c 01 16 88 ca ec 1e 3c f2 a9 18 1b b5 5b e6 9a 5c 4b 38 6a e5 74 72 a9 67 14 00 21 f9 04 09 03 00 00 00 2c 07 00 00 00 33 00 03 00 00 02 1a 8c 81 16 c8 ca ef 5e 3b 12 2a 0a e2 5c 55 4b df 5d 5c 86 25 e5 56 99 63 aa 14 00 21 f9 04 09 05 00 00 00 2c 0a 00 00 00 37 00 03 00 00 02 1a 8c 81 60 91 b9 ed 0e 6c 6f c6 c5 ee ac 90 5b bf 61 19 02 2a 52 77 7e 69 18 14 00 21 Data Ascii: GIF89a`!NETSCAPE2.0!,`6PlHI:qJk`BYL&!,0<[\K8jtrg!,3^;\UK]\%Vc!,7`lo[a*Rw~i!

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:13:04 UTC	296	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:13:04 GMT Content-Type: image/gif Content-Length: 3620 Connection: close Cache-Control: public, max-age=31536000 Last-Modified: Wed, 24 May 2023 10:22:50 GMT ETag: 0x8DB5C40D3BB06B9 x-ms-request-id: a9822568-401e-0007-47bf-09e67d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151303Z-h5n73cbbbd7zh1qvh6xcezx1cs00000001pg00000001k8se X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:13:04 UTC	297	IN	Data Raw: 47 49 46 38 39 61 60 01 03 00 f0 00 00 00 00 00 69 69 69 21 f9 04 09 05 00 00 00 21 fe 26 45 64 69 74 65 64 20 77 69 74 68 20 65 7a 67 69 66 2e 63 6f 6d 20 6f 6e 6c 69 6e 65 20 47 49 46 20 6d 61 6b 65 72 00 21 ff 0b 4e 45 54 53 43 41 50 45 32 2e 30 03 01 00 00 00 2c 00 00 00 00 60 01 03 00 00 02 36 84 1d a9 b7 07 ed 50 8a 6c d2 8b b3 de bc fb 0f 86 e2 48 96 e6 89 a2 0a 04 49 01 d6 3a 71 4a d7 f6 8d e7 fa ce 6b ab f5 00 ba 60 42 59 b1 87 4c 2a 97 cc 26 af 00 00 21 f9 04 09 05 00 00 00 2c 00 00 00 00 60 01 03 00 00 02 39 84 1f 69 19 07 ec 96 8a b2 51 34 af de bc fb 0f 86 e2 48 96 e6 89 a6 6a 0a 3d 99 6b 39 2d 35 5f f5 8a e7 fa ce f7 fe 0f 8c b4 6a 37 98 a6 28 7b 05 97 cc a6 f3 09 d5 15 00 00 21 f9 04 09 03 00 00 00 2c 00 00 00 00 60 01 03 00 00 02 39 84 0f Data Ascii: GIF89a`iii!!&Edited with ezgif.com online GIF maker!NETSCAPE2.0,`6PlHI:qJk`BYL*&!,`9iQ4Hj=k9-5_j7({!,`9

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:13:05 UTC	305	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:13:04 GMT Content-Type: image/gif Content-Length: 3620 Connection: close Cache-Control: public, max-age=31536000 Last-Modified: Wed, 24 May 2023 10:22:50 GMT ETag: 0x8DB5C40D3BB06B9 x-ms-request-id: a9822568-401e-0007-47bf-09e67d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151304Z-nnyfmy7gk14kr68uravqwu1pp000000001vg000000029uth X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:13:05 UTC	305	IN	Data Raw: 47 49 46 38 39 61 60 01 03 00 f0 00 00 00 00 00 69 69 69 21 f9 04 09 05 00 00 00 21 fe 26 45 64 69 74 65 64 20 77 69 74 68 20 65 7a 67 69 66 2e 63 6f 6d 20 6f 6e 6c 69 6e 65 20 47 49 46 20 6d 61 6b 65 72 00 21 ff 0b 4e 45 54 53 43 41 50 45 32 2e 30 03 01 00 00 00 2c 00 00 00 00 60 01 03 00 00 02 36 84 1d a9 b7 07 ed 50 8a 6c d2 8b b3 de bc fb 0f 86 e2 48 96 e6 89 a2 0a 04 49 01 d6 3a 71 4a d7 f6 8d e7 fa ce 6b ab f5 00 ba 60 42 59 b1 87 4c 2a 97 cc 26 af 00 00 21 f9 04 09 05 00 00 00 2c 00 00 00 00 60 01 03 00 00 02 39 84 1f 69 19 07 ec 96 8a b2 51 34 af de bc fb 0f 86 e2 48 96 e6 89 a6 6a 0a 3d 99 6b 39 2d 35 5f f5 8a e7 fa ce f7 fe 0f 8c b4 6a 37 98 a6 28 7b 05 97 cc a6 f3 09 d5 15 00 00 21 f9 04 09 03 00 00 00 2c 00 00 00 00 60 01 03 00 00 02 39 84 0f Data Ascii: GIF89a`iii!!&Edited with ezgif.com online GIF maker!NETSCAPE2.0,`6PlHI:qJk`BYL*&!,`9iQ4Hj=k9-5_j7({!,`9

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:13:33 UTC	309	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=8+6Rz8sGbdwtOBY&MD=dfrD7cwc HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-10-30 15:13:33 UTC	309	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 7413e202-2445-4617-9ad1-663b4af143e9 MS-RequestId: 02e123f1-46ec-4d6c-afe0-0b2f5a1c27ee MS-CV: LLTgBlONj0eJNaad.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Oct 2023 15:13:33 GMT Connection: close Content-Length: 25457
2023-10-30 15:13:33 UTC	310	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2023-10-30 15:13:33 UTC	325	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:14:14 UTC	335	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-F-heVbSHMj4kCdc_szkNwg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Security-Policy: script-src 'report-sample' 'nonce--b8XFAKFbdQnvNJlTDC0ew' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Type: text/plain; charset=utf-8 Content-Length: 220 Date: Mon, 30 Oct 2023 15:14:14 GMT Expires: Mon, 30 Oct 2023 15:14:14 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-10-30 15:14:14 UTC	336	IN	Data Raw: 72 6c 7a 43 31 3a 20 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 38 32 0a 72 6c 7a 43 32 3a 20 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 38 32 0a 72 6c 7a 43 37 3a 20 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 38 32 0a 64 63 63 3a 20 0a 73 65 74 5f 64 63 63 3a 20 43 31 3a 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 38 32 2c 43 32 3a 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 38 32 2c 43 37 3a 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 38 32 0a 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 2c 43 31 53 2c 43 37 53 0a 73 74 61 74 65 66 75 6c 2d 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 0a 63 72 63 33 32 3a 20 65 33 32 33 39 30 37 38 0a Data Ascii: rlzC1: 1C1ONGR_enUS1082rlzC2: 1C2ONGR_enUS1082rlzC7: 1C7ONGR_enUS1082dcc: set_dcc: C1:1C1ONGR_enUS1082,C2:1C2ONGR_enUS1082,C7:1C7ONGR_enUS1082events: C1I,C2I,C7I,C1S,C7Sstateful-events: C1I,C2I,C7Icrc32: e3239078

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:14:18 UTC	337	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:14:18 GMT Content-Type: application/x-javascript Content-Length: 8917 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Fri, 22 Sep 2023 21:41:50 GMT ETag: 0x8DBBBB4BAC70A62 x-ms-request-id: 466377f1-801e-0037-57c6-09c76c000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151418Z-wvxqwbtn651y1b1s9btb4pyu3w00000001xg00000001x8p9 X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2023-10-30 15:14:18 UTC	337	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 d5 3d f9 77 9b 48 d2 bf ef 5f 81 b5 fb 62 69 82 09 b7 84 bc 4c 5e 62 3b 19 cf 24 b1 d7 76 92 dd 9d cc d3 6b a0 b1 18 23 d0 00 f2 31 b6 fe f7 af aa 39 04 08 74 c4 ce 4e 3e bd 17 4b f4 59 55 5d 5d 67 d3 79 f1 c3 ce df b8 1f b8 bd cd 3f dc f9 c5 ab b3 0b ee e4 0d 77 f1 d3 f1 d9 21 77 0a 4f ff e1 3e 9c 5c 1c 1f 1c 6d 3e 0e 4e 8a ff 2e c6 5e cc b9 9e 4f 39 f8 b6 48 4c 1d 2e 0c b8 30 e2 bc c0 0e a3 69 18 91 84 c6 dc 04 fe 46 1e f1 39 37 0a 27 5c 32 a6 dc 34 0a 7f a7 76 12 73 be 17 27 d0 c9 a2 7e 78 c3 75 61 b8 c8 e1 4e 49 94 dc 71 c7 a7 3d 01 c6 a7 30 9a 77 e9 05 d0 db 0e a7 77 f0 7b 9c 70 41 98 78 36 e5 48 e0 b0 d1 7c 78 08 62 ca cd 02 87 46 dc cd d8 b3 c7 dc 7b cf 8e c2 38 74 13 2e a2 36 f5 ae 61 92 78 06 e5 d5 29 78 8e 44 94 8b Data Ascii: =wH_biL^b;$vk#19tN>KYU]]gy?w!wO>\m>N.^O9HL.0iF97'\24vs'~xuaNIq=0ww{pAx6H\|xbF{8t.6ax)xD

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:47 UTC	5	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:12:47 GMT Content-Type: text/css Content-Length: 20211 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Thu, 07 Sep 2023 05:39:19 GMT ETag: 0x8DBAF64C85F418F x-ms-request-id: be10506f-701e-0030-7d23-0a1662000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151247Z-f6e4u3g2zt04t9b484vdtrun4s00000000wg000000024x3k X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:12:47 UTC	5	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 6d 93 1b b7 b1 28 fc 5d bf 62 ce ba 5c d1 fa 90 13 72 f8 ba 64 45 15 59 56 ec 3d 47 6f 25 c9 c9 49 b9 54 a9 59 72 b8 9c a3 21 87 77 66 b8 ab 0d ef fe f7 07 ef 68 00 0d 70 b8 5a c7 b9 4f 39 8a 25 0e ba d1 00 ba 1b 0d 34 80 06 fe f8 dd 7f 44 2f ca dd 5d 95 5f af 9b e8 e9 8b f3 e8 75 be a8 ca ba 5c 35 24 bd da 95 55 da e4 e5 36 8e 9e 17 45 c4 90 ea a8 ca ea ac ba c9 96 71 f4 dd 1f 9f fc f1 bb ff 78 d2 6d ff bf e8 c3 c7 e7 ef 3f 46 6f ff 12 7d fc e9 f2 fd 0f d1 3b f2 f5 f7 e8 cd db 8f 97 2f 5e 46 ad a9 3c 79 f2 71 9d d7 d1 2a 2f b2 88 fc 7b 95 d6 d9 32 2a b7 51 59 45 f9 76 21 aa 9d d5 d1 86 fc 5d e5 69 11 ad aa 72 13 35 eb 2c da 55 e5 ff 66 0b d2 88 22 af 1b 92 e9 2a 2b ca db e8 29 21 57 2d a3 77 69 d5 dc 45 97 ef ce e3 e8 Data Ascii: m(]b\rdEYV=Go%ITYr!wfhpZO9%4D/]_u\5$U6Eqxm?Fo};/^F<yq/{2QYEv!]ir5,Uf"*+)!W-wiE
2023-10-30 15:12:47 UTC	21	IN	Data Raw: 0f 0b df 51 57 37 c3 ea 01 d7 4c 0f 77 63 2d ea 2e df cb 43 04 3e 73 21 5c ec 1e 00 67 5f 00 28 55 00 41 11 8a 80 40 84 3a 20 10 a9 14 08 48 ab 06 02 94 0a 82 80 98 9a a0 e9 54 59 30 80 af cd 4c 71 90 74 ae 3e 02 20 95 48 7c 72 55 12 0e 87 a9 2e 83 84 fe f1 6b cc f4 dc 90 29 12 f1 2d 64 ea 42 84 4c 71 80 68 9f 1f a8 64 ea a2 48 99 ba 10 29 53 17 a2 64 ea 82 80 4c 5d a0 92 a9 0b e2 32 c5 d2 99 4c 11 80 af cd 5c a6 6e ba 90 29 07 28 99 f2 4f 21 53 7e a0 c2 94 a9 2f 80 c8 db 51 65 40 a7 5f bc 3a e8 d3 2b e8 a3 28 bc f9 ad d0 a4 f0 83 c8 42 0d 82 38 42 21 82 38 52 35 82 48 5a 49 82 68 52 5d 82 48 4c 71 8e 60 50 15 0a a3 1c e7 26 53 ab 20 06 57 30 07 45 aa 9a 03 e0 4a 67 27 e3 71 c0 be 60 4a f3 a6 69 63 75 b7 c7 5e 17 e9 88 10 78 50 d1 3f f0 a4 3f 18 23 e6 1f Data Ascii: QW7Lwc-.C>s!\g_(UA@: HTY0Lqt> H\|rU.k)-dBLqhdH)SdL]2L\n)(O!S~/Qe@_:+(B8B!8R5HZIhR]HLq`P&S W0EJg'q`Jicu^xP??#

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:14:19 UTC	348	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:14:19 GMT Content-Type: image/svg+xml Content-Length: 276 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:22:45 GMT ETag: 0x8DB5C40D12AF55E x-ms-request-id: ff3fecba-701e-000c-6772-0ac36a000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151419Z-dp60qa20kh2rh8xndsuf5pevvc00000000ug00000002m3t2 X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:14:19 UTC	349	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 95 51 3d 6f c3 20 10 fd 2b 88 ae e6 e0 08 d8 b8 b2 3d 74 ca 90 ae 1d ba 45 8a 6b 5b 22 1f aa 91 c9 cf 2f 67 3b 6e 87 2c 15 f0 80 bb 7b ef 9e a0 1a a7 8e dd cf fe 32 d6 bc 0f e1 f6 2a 65 8c 11 e2 0e ae df 9d d4 4a 29 99 2a 38 8b c3 29 f4 35 d7 86 b3 be 1d ba 3e 2c e7 69 68 e3 db f5 5e 73 c5 14 d3 26 4d de 54 61 08 be 6d 8e e3 d8 86 b1 92 cb ad ba 1d 43 cf 4e 35 7f 47 97 21 82 2d dc 04 ce 98 7d 01 39 16 7e 07 a5 c6 8c d0 09 b0 a5 a1 75 c8 33 d4 de 40 69 8c 98 71 4b cc 9c 55 e5 93 b3 af c1 fb 9a bf 18 45 83 cb bf bd 14 f1 b2 02 94 cd fd 53 fa 1e ff ef e3 ac 04 a0 41 01 aa c0 b4 0e 36 95 97 a4 47 9b 05 67 1d 11 d6 2c 66 33 67 c1 35 46 1b b1 49 9d da d8 47 40 3c 0e 98 4c 2e 3a 60 b5 4e 26 01 3f 52 03 93 0c cf 89 64 b4 b0 28 08 37 Data Ascii: Q=o +=tEk["/g;n,{2eJ)8)5>,ih^s&MTamCN5G!-}9~u3@iqKUESA6Gg,f3g5FIG@<L.:`N&?Rd(7

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:14:20 UTC	426	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:14:20 GMT Content-Type: image/svg+xml Content-Length: 3528 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:22:46 GMT ETag: 0x8DB5C40D13B95C7 x-ms-request-id: 714daa19-401e-0083-1b30-0b1d20000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151420Z-910eetzug957pb9wp116e3kb7s00000001yg00000001f25z X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:14:20 UTC	427	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 b5 59 db 6e db 48 12 fd 15 42 79 49 00 92 ee fb c5 13 07 f0 be ac 1f b2 d8 05 b2 a3 87 bc d1 b2 64 69 46 b6 1c 4b b1 63 0c f6 df f7 9c ee 26 29 c9 f6 4c 66 67 03 47 15 f6 85 d5 dd 55 d5 a7 2e 7c bf 7d b8 ae be dd ac 6f b7 67 93 e5 6e 77 77 7a 72 f2 f8 f8 d8 3e ea 76 73 7f 7d a2 84 10 27 98 31 c9 53 4e bf ad 57 b7 bf be 34 51 c6 18 4f d2 e8 a4 7a 5c 5d ed 96 67 13 6d d5 a4 5a ce 57 d7 cb dd d9 44 7a 37 a9 1e 56 f3 c7 bf 6d be 9d 4d 44 25 2a 0c 57 ec fd f0 fe 6a be d8 7e 78 bf dd 3d ad e7 1f da ee b7 c5 6a bd 3e bd dd dc ce 7f fa 4f 7b 99 5b 6f bc e6 1f 3a 66 a5 63 a1 ac 50 0a 1d 57 fd 8c c5 65 27 04 3a e6 a5 43 88 ce cc 17 e8 58 f4 af 2c 2e 63 9a 71 fd db 6c bd ba 6b ee ba dd f2 f4 eb fd fa ed 9b ee 1d 7a 97 75 fb f4 db e6 ae Data Ascii: YnHByIdiFKc&)LfgGU.\|}ognwwzr>vs}'1SNW4QOz\]gmZWDz7VmMD%*Wj~x=j>O{[o:fcPWe':CX,.cqlkzu

Timestamp	kBytes transferred	Direction	Data
2023-10-30 15:12:48 UTC	36	IN	HTTP/1.1 200 OK Date: Mon, 30 Oct 2023 15:12:48 GMT Content-Type: application/x-javascript Content-Length: 115912 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Mon, 25 Sep 2023 22:41:59 GMT ETag: 0x8DBBE18A0D8BB3A x-ms-request-id: d790c2e8-801e-001b-6e03-0aa246000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20231030T151248Z-5qp42t5emh4vfdtv1ukt0xm6kc00000000yg000000015npc X-Cache: TCP_HIT Accept-Ranges: bytes
2023-10-30 15:12:48 UTC	37	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 e4 bd 7b 77 e3 38 8e 38 fa ff fd 14 8e 66 6f c6 ee 28 2e cb af c4 4a ab b3 ce ab ca d3 49 9c 89 93 ee 99 4d 65 72 64 89 76 d4 91 25 af 24 e7 31 8e f7 b3 ff 00 90 94 28 59 4e 55 cd ee dd 7b ee b9 bd b3 29 8b 04 5f 20 00 02 24 08 7e fa 69 eb ff aa fc 54 d9 fd fe ff 2a a3 9b fe f5 4d 65 78 56 b9 f9 32 b8 3e a9 5c c1 d7 df 2b 97 c3 9b c1 f1 e9 f7 d7 83 8d e2 ff df 3c 7a 71 65 e2 f9 ac 02 ff 8e ed 98 b9 95 30 a8 84 51 c5 0b 9c 30 9a 87 91 9d b0 b8 32 83 bf 91 67 fb 95 49 14 ce 2a c9 23 ab cc a3 f0 0f e6 24 71 c5 f7 e2 04 0a 8d 99 1f be 54 aa 50 5d e4 56 ae ec 28 79 ab 0c ae 6a 75 a8 9f 41 6d de d4 0b a0 b4 13 ce df e0 f7 63 52 09 c2 c4 73 58 c5 0e 5c aa cd 87 8f 20 66 95 45 e0 b2 a8 f2 f2 e8 39 8f 95 0b cf 89 c2 38 9c 24 95 88 39 Data Ascii: {w88fo(.JIMerdv%$1(YNU{)_ $~iTMexV2>\+<zqe0Q02gI#$qTP]V(yjuAmcRsX\ fE98$9
2023-10-30 15:12:48 UTC	52	IN	Data Raw: 18 a0 00 d7 91 0d 29 63 53 27 6c b2 62 70 eb bf b6 d9 c8 48 aa fb dc 64 68 8a 78 17 2d 1e ef 02 30 ae 5a 0b d2 f0 8b b9 ad e0 58 61 6a 5a d7 f3 96 75 b5 a6 bb 14 95 a1 7e 34 c1 bf fd a1 ce 8f 0a b3 fa 16 8a f2 9a 57 f4 7d 69 c6 fb 77 ec 5e 1c 80 f9 7a 66 28 ae 56 f2 6a 0f 2e f9 39 ed 42 20 b7 c4 e2 45 64 46 0a 66 40 f8 bb 78 5b ff 10 4c 61 18 2e 47 64 e1 b8 15 11 d3 ee b6 69 2f 60 20 c8 04 10 e7 d4 0e 7c a0 12 df f2 00 af 60 13 d4 41 ab 72 e9 7e 0a de e2 ce 08 2e a9 87 ac 66 22 04 4e 7e 5c 07 0d 43 e1 e9 52 db 9e 49 97 e8 cc 68 d4 f8 de 4e 76 ad 8b 1d 56 71 cf 68 11 a1 ff b4 b0 21 85 c9 4b 17 df d1 0a 66 a9 ef 6c 7c 18 70 a7 10 91 71 1b f9 68 cf 1e 06 58 81 95 98 01 de 39 30 c5 c1 b2 87 36 2a e3 2b 22 1e 4b 41 8f b9 07 f9 92 12 49 ba 6a a8 b3 f0 51 68 ba Data Ascii: )cS'lbpHdhx-0ZXajZu~4W}iw^zf(Vj.9B EdFf@x[La.Gdi/` \|`Ar~.f"N~\CRIhNvVqh!Kfl\|pqhX906*+"KAIjQh
2023-10-30 15:12:48 UTC	68	IN	Data Raw: 15 fa 55 71 53 a6 4f d0 e2 7c 46 06 34 fc 51 35 2f 81 cc e2 74 5c 64 71 7a a8 c9 e2 74 5d 93 c5 e9 a4 92 58 76 b3 92 58 f6 80 11 a0 f4 16 25 08 94 fe c1 d5 9c 08 0c 5e 5b 93 dc 4c 9d 10 62 bb ce c9 b7 3e 3f a7 42 5d 9d d5 29 2b b5 e2 78 19 ac ce c8 5e 7e ad 90 30 a2 19 b1 fc 1c 00 97 3b 9d 39 07 51 13 45 6f 33 b1 92 11 b4 fa 14 ec da bf 83 49 a7 1f 27 f0 35 5a ac a2 5b fc 2a 62 15 19 13 aa 1c fd ac a1 bb 7d e8 56 37 f5 53 08 6f ff 56 fb 0a 2c cb 6c 72 e3 2c 3a f7 38 20 94 f5 39 03 83 c0 d7 d1 90 aa 3f 0c ec 9b f8 32 b1 ef 95 9f 55 f9 80 a9 11 bf bc 49 72 37 0e 46 76 f5 38 72 0c 5f 20 58 eb 1b 67 05 85 3a f7 1f 45 f8 ea 65 81 ac d2 a7 e3 ad 6d c5 e1 06 a3 79 89 1a 65 01 8b 4a 90 5f 26 f1 4e 47 fb 9f 98 79 2a 17 bc c0 75 31 73 b1 41 15 8b a1 b7 a8 41 24 ce Data Ascii: UqSO\|F4Q5/t\dqzt]XvX%^[Lb>?B])+x^~0;9QEo3I'5Z[b}V7SoV,lr,:8 9?2UIr7Fv8r_ Xg:EemyeJ_&NGyu1sAA$
2023-10-30 15:12:48 UTC	84	IN	Data Raw: 15 84 83 88 bf e0 44 30 12 d1 02 a6 be 81 fb aa 21 ea 69 10 06 4e 03 3b d2 e0 75 0e 54 8c ee 19 e0 50 25 1c 2e aa 1b ad 09 25 b3 41 b1 68 3b a5 c1 fb 8b 51 df 0a 27 5e a9 b8 47 a9 59 e1 03 16 4f f5 6d c8 fb 4c e1 df a1 4a d5 91 1f 74 66 d1 c8 18 49 1a 5e d0 c5 62 8d cc e9 80 68 e2 b0 56 ba e3 8d 37 47 78 63 02 30 e7 21 0e 7d e5 88 26 e2 68 11 ad af 39 a7 d5 d3 c3 3e 5b 48 bc ca 61 51 06 c1 2b 9c 36 4b 6c 32 90 c0 50 a9 a1 e0 ac 90 41 6d 14 0a 4b 27 67 27 42 85 9c 15 14 b5 a3 ca ce b6 17 fa d3 69 eb 7d 88 d7 7d da 91 87 3d 3b 75 73 38 c2 0e 7a 94 c5 a1 4f 08 db 6e 9f 15 cb a1 0f d4 b2 c8 28 8c cc 49 95 3d 4c 5c b3 9d d9 2c eb 42 2f db 76 26 14 45 85 a0 6c 90 90 a5 a5 70 c6 3e 32 06 cf 9a d6 7e 90 ec 51 6c 54 87 70 8e 14 41 7a d0 43 3c 37 8c 92 aa 89 9c d2 Data Ascii: D0!iN;uTP%.%Ah;Q'^GYOmLJtfI^bhV7Gxc0!}&h9>[HaQ+6Kl2PAmK'g'Bi}}=;us8zOn(I=L\,B/v&Elp>2~QlTpAzC<7
2023-10-30 15:12:48 UTC	100	IN	Data Raw: d1 1a f9 3e 41 ce fd 3c 76 65 b6 ae 2f ff c6 85 7c 0c 7d ea 12 85 47 64 01 9f 11 80 b3 ee 32 6c 00 7c 60 7a 4c a0 ef ee 0b 74 6d af dd 35 94 6a 6b f7 25 61 d2 ba 6b ab e4 a9 ba 23 8c 26 ee 57 58 63 c5 d7 de 51 5a c2 ae c3 c4 ad a8 5b 8d 7a 4c 0c 10 6f a1 f7 3e 1d 4f d2 12 84 f1 ac f7 6b 7a b3 81 1a 48 93 01 ff 2b 08 75 b3 9c f9 a2 2d 5c ec 15 45 1e 77 42 fe 80 4a ac f9 98 c9 a8 9f 36 28 b8 95 42 c6 97 68 12 b7 8b 73 60 18 ef 1a 80 fb 3d e3 c5 6e ae 1c 01 18 26 e0 08 9b 9e 52 74 4a de 46 36 f6 3b 77 0c 0a 28 67 87 01 54 fa 16 59 57 cd 5f d3 e1 1d b2 0e 80 68 17 9d 64 a7 52 68 c4 df 30 47 85 50 09 37 1d c0 c9 8a c6 59 54 c1 5c a5 30 3c 5f cb 68 e2 16 ec 20 5e b1 27 08 21 88 b4 35 df 09 c1 60 c4 04 1c 82 3e b8 9f 60 0f e2 17 ef 2b bd b4 9b 10 54 06 3b b0 32 Data Ascii: >A<ve/\|}Gd2l\|`zLtm5jk%ak#&WXcQZ[zLo>OkzH+u-\EwBJ6(Bhs`=n&RtJF6;w(gTYW_hdRh0GP7YT\0<_h ^'!5`>`+T;2
2023-10-30 15:12:48 UTC	116	IN	Data Raw: 36 21 21 78 99 16 30 52 e2 11 d7 36 5d 17 a4 60 6a 26 e1 61 d2 99 f4 29 d7 98 bb 60 34 44 66 c2 40 f8 80 7b c3 c1 16 03 ab 1c c6 34 a9 1d 70 eb 20 92 3c b0 63 16 84 66 04 2a d0 03 26 25 e0 da 80 2b ed 8a 2d 7e 90 4b 20 98 0e e2 3b 05 8d 65 04 ea 15 77 a3 c1 23 8c 5c 20 f4 28 75 31 68 90 92 08 2d 3f ff 20 4e 4d e0 c4 09 8b 6c c2 03 46 6d 92 82 0b 60 ba 16 08 f5 80 13 98 16 0b 22 ff 30 e4 a0 2d a3 04 1c 24 cf 72 43 d7 4c 30 46 10 38 20 28 d0 d9 b5 13 20 97 f0 30 e7 ed 02 37 06 7f 3d 35 2d 17 fe 88 05 64 ed 00 09 50 db 27 81 0d 6b 07 32 f7 20 a8 d3 ca c9 b6 29 c8 21 37 f0 c0 13 64 5e 0a 0e 8d 19 31 8b 7b 36 28 27 70 04 0e 22 22 40 37 99 16 58 c4 a9 1f 10 ee 82 21 06 0e 80 e3 c3 98 be 0d 0e 9a 1f 1c 26 1e df 24 7a f8 2c a2 34 a4 11 8d c0 84 0d 41 b7 7b 60 58 Data Ascii: 6!!x0R6]`j&a)`4Df@{4p <cf*&%+-~K ;ew#\ (u1h-? NMlFm`"0-$rCL0F8 ( 07=5-dP'k2 )!7d^1{6('p""@7X!&$z,4A{`X
2023-10-30 15:12:48 UTC	132	IN	Data Raw: 11 8a 16 1d 78 10 63 af 6b d1 56 ad 92 57 c5 45 49 f9 46 15 d6 aa b2 a5 97 e5 b6 2a f7 9b 78 87 4e c7 9b 9d 15 55 2d dc b4 f5 0a 4e 3e 67 e9 38 07 82 ff 99 9f 3e f9 b8 1a 1b ff 77 7c 7f fe 9a 1c fd ef db bb f3 c9 fd 7b f7 8c a9 91 19 93 19 c8 8e 1a 2a 4f 74 40 e6 58 fd b0 ae e0 ed fd 8d ee 9a 10 56 03 81 0c 1a 3d 59 8a 6b b4 c7 06 31 26 c7 9a 1e 66 18 79 5f 00 89 34 d0 5d a9 d9 18 d8 f7 7c fb 2c d6 38 b8 58 0f f9 f9 6a 5a 2f ba b6 2f 40 74 8b 5f 5e de ca 27 7a 4c 58 ac 63 9c f6 77 5c bf 32 1b 78 8e f8 d5 b8 3d 1f d9 2d 9f c1 0a ad f0 43 64 82 48 8e f9 ed db e3 de db 09 76 0a c3 88 36 6d 28 24 56 30 08 27 ef 6f c2 ca df 9b dd e7 ef 9e 5f e0 47 4c 67 3f 3d f8 9f f8 9f 0f 9e fd f2 64 d2 50 dd ba d2 71 6b 06 88 1d 1c 10 7a d2 55 eb 2b 5d 8e 85 d3 35 78 40 e6 Data Ascii: xckVWEIFxNU-N>g8>w\|{Ot@XV=Yk1&fy_4]\|,8XjZ//@t_^'zLXcw\2x=-CdHv6m($V0'o_GLg?=dPqkzU+]5x@
2023-10-30 15:12:48 UTC	148	IN	Data Raw: af 9e b3 95 0c 9b 68 57 17 82 c4 1c bf 46 f0 f5 ba 99 53 c3 36 12 07 22 d4 a7 32 67 d6 a4 0e 2f cf d4 a4 d5 fa 58 90 02 0b ea d8 32 9d aa 56 09 8c 7a 6b 59 01 fc 80 fe d2 3e 6b c2 87 e8 b5 cc ce fd 10 03 35 c8 53 72 74 04 61 06 38 68 ec 14 c2 8f ea c8 56 ae 76 9a 87 0e cf c2 73 6d f9 9c bf 7c da 5f 89 f9 af cc c1 5e 74 81 5a 81 52 1f 7c dd 80 35 81 8b 0e 74 0f 37 ca 5c a7 c4 97 38 4e 73 ab 16 63 4e ac 1f d0 71 e2 9f a3 bd db 5f e5 4c b3 16 3f 6d 0e af 0a 2a e3 e4 21 57 2b f3 8e 59 90 79 92 6c 5a 43 16 12 bd f1 2b e6 89 51 aa 84 cb 0f 60 dd a0 8d ac 75 de f2 e7 46 10 4e e1 c4 08 7c 88 1d bd 4b 37 32 3d c9 4b 68 2e e6 a9 d8 80 89 bc bc 5a 26 26 68 b5 33 60 88 de 65 25 5f 62 c1 a3 e8 53 86 44 f3 96 1c 19 3b 71 a7 9e cc 76 53 8e 0f f7 72 29 b0 64 cf e7 3d 69 Data Ascii: hWFS6"2g/X2VzkY>k5Srta8hVvsm\|_^tZR\|5t7\8NscNq_L?m*!W+YylZC+Q`uFN\|K72=Kh.Z&&h3`e%_bSD;qvSr)d=i

Target ID:	0
Start time:	16:12:42
Start date:	30/10/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA
Imagebase:	0x7ff71e7f0000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 120

Chrome Cache Entry: 121

Chrome Cache Entry: 122

Chrome Cache Entry: 123

Chrome Cache Entry: 124

Chrome Cache Entry: 125

Chrome Cache Entry: 126

Chrome Cache Entry: 127

Chrome Cache Entry: 128

Chrome Cache Entry: 129

Chrome Cache Entry: 130

Chrome Cache Entry: 131

Chrome Cache Entry: 132

Chrome Cache Entry: 133

Chrome Cache Entry: 134

Chrome Cache Entry: 135

Chrome Cache Entry: 136

Chrome Cache Entry: 137

Chrome Cache Entry: 138

Chrome Cache Entry: 139

Chrome Cache Entry: 140

Chrome Cache Entry: 141

Chrome Cache Entry: 142

Windows Analysis Report
https://t.infomail.microsoft.com/r/?id=h33e6dcea,30eb2eb9,30f0bfad&e=b2NpZD0&s=sdF7TZmeHSMvab1SVCnXSk8UeptkNLUsLWNIE9RJuvA

Description:	Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token .
Tactics:	Initial Access
Data Sources:	Network device logs, Network intrusion detection system, Packet capture, Process use of network, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre