Edit tour

Windows Analysis Report
Remittance Advice B9623.HTML

Overview

General Information

Sample Name:	Remittance Advice B9623.HTML
Analysis ID:	1337736
MD5:	44a8ea27fc7849ee92442112d1f12de3
SHA1:	4c99958b4bcb9b89d433197f41f0d16f4b6737f1
SHA256:	a116b3362f5b8c0ff155e65ff314231c36beef5d620e4db28eaa3a01a71679b0
Infos:

Detection

HTMLPhisher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish10

HTML file submission containing password form

HTML document with suspicious title

Phishing site detected (based on logo match)

HTML document with suspicious name

Creates files inside the system directory

None HTTPS page querying sensitive user data (password, username or email)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

HTML body contains low number of good links

HTML title does not match URL

Suspicious form URL found

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 3040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Remittance Advice B9623.HTML MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5272 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=2072,i,13270799758387245985,6612383874584642118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Remittance Advice B9623.HTML	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTML

Source	Rule	Description	Author	Strings
0.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=LtGInZ4I4WDrCvCHQBVMHOy4a-sqzpSrMO-Rwr8ezStTz_kfoi2bri7uGdXfNvskAEO_Tj5Jkwl0XSN-qA6MYiGShcDB_vNQOl1bpl3aua7gMrDRvWsHLpAuFBlBnNxTMeen95XElzx3r4myG8p8sgSHdx4NBawYGaI5oFn_dZ8

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2018/02/publication_spreadsheet_screenshot_blurred.jpg HTTP/1.1Host: dfshultzblog.files.wordpress.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_365_logo.png HTTP/1.1Host: upload.wikimedia.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2018/02/publication_spreadsheet_screenshot_blurred.jpg HTTP/1.1Host: dfshultzblog.files.wordpress.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_365_logo.png HTTP/1.1Host: upload.wikimedia.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BBWLTLTxOmoX+Lx&MD=CN9uEAYM HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BBWLTLTxOmoX+Lx&MD=CN9uEAYM HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000084A5C6CB58 HTTP/1.1Host: clients1.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br

Source: unknown	HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49732 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: Remittance Advice B9623.HTML

Initial sample: advice

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_3040_1896138452

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Remittance Advice B9623.HTML
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=2072,i,13270799758387245985,6612383874584642118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=2072,i,13270799758387245985,6612383874584642118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: classification engine

Classification label: mal64.phis.winHTML@14/10@16/8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML

HTTP Parser: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://mx.azizrajelvivaaxraf.shop/app/8b1fbe0.php	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	142.251.33.109	true	false	high
s6.files.wordpress.com	192.0.72.26	true	false	high
www.google.com	142.251.33.100	true	false	high
upload.wikimedia.org	198.35.26.112	true	false	high
clients.l.google.com	142.251.33.78	true	false	high
dfshultzblog.files.wordpress.com	unknown	unknown	false	high
clients1.google.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://upload.wikimedia.org/wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_365_logo.png	false	high
https://clients1.google.com/tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000084A5C6CB58	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false	high
https://dfshultzblog.files.wordpress.com/2018/02/publication_spreadsheet_screenshot_blurred.jpg	false	high
file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML	false	low
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mx.azizrajelvivaaxraf.shop/app/8b1fbe0.php	Remittance Advice B9623.HTML	false	Avira URL Cloud: safe	unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_36	Remittance Advice B9623.HTML	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.33.100	www.google.com	United States	15169	GOOGLEUS	false
142.251.215.238	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.33.78	clients.l.google.com	United States	15169	GOOGLEUS	false
142.251.33.109	accounts.google.com	United States	15169	GOOGLEUS	false
192.0.72.26	s6.files.wordpress.com	United States	2635	AUTOMATTICUS	false
198.35.26.112	upload.wikimedia.org	United States	14907	WIKIMEDIAUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1337736
Start date and time:	2023-11-06 16:23:37 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Remittance Advice B9623.HTML
Detection:	MAL
Classification:	mal64.phis.winHTML@14/10@16/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .HTML

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 104.117.234.93, 142.251.33.99, 34.104.35.123, 69.164.40.8, 142.250.217.67, 192.229.211.108, 23.32.75.35
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Remittance Advice B9623.HTML

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	_EXTERNAL_ ESA Quarantine - Phish using vendor compromised emails.msg	Get hash	malicious	Unknown	Browse
	https://mainpage.me/kanegraphical	Get hash	malicious	Unknown	Browse
	_EXTERNAL_ ESA Quarantine - email fails SPF checks.msg	Get hash	malicious	Phisher	Browse
	Magmutual Health Insurance Benefits Open Enrollment Plan.shtml	Get hash	malicious	HTMLPhisher	Browse
	https://pdjaywyzg.live/kRAG24d	Get hash	malicious	Unknown	Browse
	https://bafybeihcdppg5ryhs2n3ewfp4ckzj6hyqigmxo2rik6dubkr5oou4brqoi.ipfs.dweb.link/posster1.html#exeter@guidedogs.org.uk	Get hash	malicious	Unknown	Browse
	https://signinavvsamazoncom.easportingllct.online/?IjQix=FuX8s	Get hash	malicious	Unknown	Browse
	https://8798464654654.rnzja.io	Get hash	malicious	Unknown	Browse
	https://de5c3805-9477-4806-bf69-1b51e8a610b1.top/	Get hash	malicious	Unknown	Browse
	http://clicktracking.terravision.eu/ls/click?upn=fepIzgiF28f0p7JgNPG2wd9iwvEhTxwQlweRuKjv1e6CcOJ7eqCjVqUgicvT9rKXn7mDVFsuJTujxsxVZO83IQsL6xG5ftYTGUWDC8RRJFQ-3DWL5p_qdtC2FVHbxPR8PW0vDhOy5u7VZTf0l3iFsrvPLiieFGzGU6vIkTthbMhGBPLlkZ515G3J2lL9Xpn8ZHD7Y-2FKVUAB7XR-2F0CC44Qzq5iJrGEVO4fyzf2LO6t1QE6LMzMQl3IM2j9OyQ2svEaaD0w7j8A6O0OiSPlkaoyMFGB6Xihl93Hd6yPBlG0lq-2B8p8JStxdGK2-2BBCAVeH62D8JXSCosrVn6b-2BBVd0d7DjOq9g281MyQnLR1vIkPp4DwyGmz31sBDRbIH8cTGsmocdR0r-2Bwq0gt-2BcsAtOIr4C7i5QXXB40-3D	Get hash	malicious	Unknown	Browse
	https://in.xero.com/5MuReANKObbI60DorfKRStD9wwBGASE5R7I7NlTP?utm_source=invoiceEmailViewInvoiceButton	Get hash	malicious	Unknown	Browse
	https://versed-deserted-magnolia.pages.dev/?csa=eiwargaffg&eci=Waldemar.Kramer@zehndergroup.com	Get hash	malicious	HTMLPhisher	Browse
	https://api-eu.targetx.com/email-interact/redirect?id=MTEwMDAwNTMwIE5vbmUgOTE5MCBUTVNfdGVzdF9yZWNpcGllbnRfaWQ=&link=https://h74r5qb90wvfgn1.oyderxxkfs.ru/is7qh/#ZnJhbmNvaXNlLmNvbGxlb255QGlsZWRlZnJhbmNlLmZy	Get hash	malicious	HTMLPhisher	Browse
	Global Partners 401k Retirement Plan.shtml	Get hash	malicious	HTMLPhisher	Browse
	Global Partners Insurance Benefits Open Enrollment.shtml	Get hash	malicious	HTMLPhisher	Browse
	https://r20.rs6.net/tn.jsp?f=0012tqreJE6eph5wRlz3kGypk3hqAnDM7rJCqA38KCUEB7Ix7gvB0tTv4b9sI3ZwriqkAVlcXWU0b-xKUz-_kfimMQQc_bbOCm5RF7dC1zJDo3oB5SsGGFqZxwsuE1kuEVzRCZYL9HH_uZfBt6sf4d9Bg==&c=_HnGFulQBIlacMwDFnV-bEOLappfe3SeT_hRqPOotHsW_BOIJYGdRQ==&ch=6innl8VDzOWfNz6ZiScpVnecbl_qVI3laHw7iqPvTRO-6ei6XqibBA==	Get hash	malicious	HTMLPhisher	Browse
	https://url12.mailanyone.net/scanner?m=1qz1fS-0004Yn-3h&d=4%7Cmail%2F90%2F1699046400%2F1qz1fS-0004Yn-3h%7Cin12a%7C57e1b682%7C21208867%7C12850088%7C6545654636FE57E6E57961A1A15864D3&o=%2Fphta%3A%2Fstsnnmpmio-esphy.ireosapcntrm%2Fe.okaso_%2Faonlipsannsomekd_&s=DaCKk6Yup5aSac-p0fkQtpVQ_7Y	Get hash	malicious	Unknown	Browse
	file.0xad818da36c30.0xad818ca48660.ImageSectionObject.oneetx.exe.img.exe	Get hash	malicious	Unknown	Browse
	https://1cpcc.trk.elasticemail.com/tracking/click?d=eAaG_o9dO9qe1DS1Fv_6eTyrD7ldGqE4oV_q251yJRJNffwVCosNHPvH7EOdUMWCXzWyb62d8X2LMp-nVYdVGrBcqyGoDDDgN9lhyWByD2K7XSBhr29N9nZwZJstlzeAAstp0d8wX-WRywRAAA8Z_fs1	Get hash	malicious	Phisher	Browse
	https://0my8l.mjt.lu/lnk/AVEAACpnT8UAAAAAAAAAAD0z5gAAAAAADgQAAAAAABuWjwBlP6oF-LmFML58R2C2N3UdVtCPCgAad1c/7/5780qY7SSt1GfV6WAZhA_Q/aHR0cHM6Ly93d3cuaWRlbnRwcmludC5jb20vbWFpbC9tYWlsaW5nLzEyNC91bnN1YnNjcmliZT9yZXNfaWQ9ODg4NDgmZW1haWw9YmExMV9nYWMlNDBlbWZhLnB0JnRva2VuPTU3MTZlZDU5N2I3OWUyYzkyNjgwZDQ5MzFjOWI3OThjZTQ2NDBkYmQzODhhYjFlNmRmMjRlZGRlMGEzMDBiMDU4MTQzYzBlMjRiZWYxNjM1OTg2ZjgzMjE4ZWUwNDY4MWIwYjBlYThmNDQzMjQwOGRhYmQwYWZmZTFjOWI0NzBl	Get hash	malicious	HTMLPhisher	Browse
192.0.72.26	https://jinknk.wordpress.com/	Get hash	malicious	HTMLPhisher	Browse
198.35.26.112	e-Statement_Coquitlam October.html	Get hash	malicious	HTMLPhisher	Browse
	https://msds.open.edu/signon/samsoff2.aspx?URL=https%3a%2f%2fbredenkamp.co.za%2f.home%2fauths%2f6Ed2%2flaYhB%2f%2f%2f%2fcHJpdmFjeW9mZmljZXJAcmljLm9yZw==	Get hash	malicious	Unknown	Browse
	https://secure.payment-gateway.microransom.us/XVFdWa1dtaG5iM1UzU0dFME0yRlBkRUV2UVZWdE5qRkRRMGhFWTBOa1pIZFlSakpvVjJGSFJVbGlORTVEWkRnMU5rMW5lbmhWUlM5aVNubFFSbkJ4Y1hOTGFqRlBVR0k0YjNoR2VrNXRUM1pZVFVaSU55dDFVbWxFYmtaTk16RlpZVkJ3VTFGRVFUQlRWelZEY25oeVZUQmhZbEZtZVRZNVUza3JlV05MVDJ0cGVEVjFaVmxSY0VKVVprczFlazh6TW1WQ01FeDVWRFZhUW5OSVkxcExiemxEVUhOWlpXTTVhekJDYkc1SU1HeFFaVWRWV0ZoNGF6TXpkVmR4YVVWRUxTMVdSMHMwVFdjdlpXRkNlSE4yY1ROUlRIRnNMM2xuUFQwPS0tNjhiMWYwNjY4YmZhYjI2MjgwYWIzNzc4MDEwMzMxNmU2NzE2ZmRhNw==?cid=1747653071	Get hash	malicious	Unknown	Browse
	PO723-0830-01-R1.Xls.html	Get hash	malicious	HTMLPhisher	Browse
	https://www.off-re.ru/.6%20c%207/pub-7/ee2ddd450d4/4963aa4c36/a91b2eb6ed/3756c746/96e672e636f6/	Get hash	malicious	HTMLPhisher	Browse
	http://arr040.matrixlandline.com/#bS5tYXJ0aW5AaGVsbWl0aW4uY29t	Get hash	malicious	Unknown	Browse
	https://receipt1483974.cardom-ingenieria.com/	Get hash	malicious	Unknown	Browse
	https://scnv.io/ONN5	Get hash	malicious	HTMLPhisher	Browse
	https://www.off-re.ru/.6%20c%207/pub-7/ee2ddd450d4/4963aa4c36/a91b2eb6ed/3756c746/96e672e636f6/	Get hash	malicious	HTMLPhisher	Browse
	https://www.off-re.ru/.6%20c%207/pub-7/ee2ddd450d4/4963aa4c36/a91b2eb6ed/3756c746/96e672e636f6/	Get hash	malicious	HTMLPhisher	Browse
	https://docu-6b8.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	http://0-884.com	Get hash	malicious	Phisher	Browse
	https://0-884.com/organisation/vidaassssss/lasenassssss//Y2VjaWVzdGludGVzdEBsaXZlLmNvbQ	Get hash	malicious	Phisher	Browse
	https://0-884.com/organisation/vidaassssss/lasenassssss//Y2VjaWVzdGludGVzdEBsaXZlLmNvbQ	Get hash	malicious	Phisher	Browse
	https://ss.realgreen.com/Get?i=XpvlNk8IbNc0tOEmacuxsMFL7cFRtm8m1CQ74Vc_y306KxrXnoFejfCDmzxnERrNMiA7lGr2F-HNwPo28HTGF0mWO5aRibOkeRYtMeX09s3FCdS4ZpB1lF7o3pKyqk0aoMtJF0nVmvK22aE_PoWqerzI8OUKH2RjcRw9UNhi7301&t=3&u=//jessicacurtisjohnson.com//pov/snz/O%20V%206/#c3RldmUua25pZ2h0QGNhYS5jby51aw==	Get hash	malicious	Unknown	Browse
	martin.robertson-msg2486_Thursday September 2023.html	Get hash	malicious	Unknown	Browse
	Sequestration.html	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s6.files.wordpress.com	https://jinknk.wordpress.com/	Get hash	malicious	HTMLPhisher	Browse	192.0.72.26
upload.wikimedia.org	https://s3dj940.r.us-east-1.awstrack.me/L0/https:%2F%2Fscoalaautovlad.ro%2Fwp-inlcudes%2Fyrgftrgf%2Fkwj1Bv%2FZ3Njb3R0QHdoZWxlbi5jb20=/1/0100018b985215e0-7180c117-b50d-41a4-81a6-cea0d31ef04c-000000/3ypcYBsUPgiVZDpdx86niGXkcRo=346	Get hash	malicious	Unknown	Browse	208.80.154.240
	PO723-0830-01-R1.Xls.html	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://docshare.docshare.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://xeroxdocshare.docshare.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	PayStub-Xero038w578.htm	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://crypt.single-sign-on.password.land/XTjJsQ09Ya3pSMnM1V2k5RFEyOVhRMWwzYzNaQ1pFcFNaUzlrTVhCNWRYWlhTbGRKVVZWNlVqZGhabTVqTlVOU1REbDJhWEF4Y0dGRldYcFpRbUYzV21saGFtdHFXVFo2VlZoNGEzaFlTMjR2YjFJMlZrOVlTQ3Q0V1VvNGNYVjRTV2hxTlc4NFEwRm5jVVY1YWs1eE1sZzVSbTlRYUc5aFdUTm5VMWhLZFcweWFrZDBaVGc1V1RKNlpWVnNNRFpyYVhwc2VXVm9ja0pNUlRSbk9UZDJTVWx3VkZGMWNDOUZSazFvYzBWNFVURkxOM2MzVHk4d09XZExORU5XVjJaa2RtdFVSRVU1ZDFWcGRFOXpPRGxzWkd0dVRtbHVSRmczUnpsdk4yNDBTVnA0YlhCVlVXcHFSRmRuZHowdExWTmtObFpsZWpWRFYyRjRkbWh0WjB0WFMwRmlZVUU5UFE9PS0tZTVlMjM2NzQ3N2YxNjk5MWQzNTMyOGZkZjMyNzJjZDIxMWNlNDZlNw==?cid=1780084960	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	e-Statement_Coquitlam October.html	Get hash	malicious	HTMLPhisher	Browse	198.35.26.112
	e-Statement_Coquitlam October.html	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	e-Statement_Coquitlam October.html	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://flowpressstudio.blogspot.com	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://yaazuuii.github.io/steam/	Get hash	malicious	Unknown	Browse	208.80.154.240
	https://msds.open.edu/signon/samsoff2.aspx?URL=https%3a%2f%2fbredenkamp.co.za%2f.home%2fauths%2f6Ed2%2flaYhB%2f%2f%2f%2fcHJpdmFjeW9mZmljZXJAcmljLm9yZw==	Get hash	malicious	Unknown	Browse	198.35.26.112
	https://secure.payment-gateway.microransom.us/XVFdWa1dtaG5iM1UzU0dFME0yRlBkRUV2UVZWdE5qRkRRMGhFWTBOa1pIZFlSakpvVjJGSFJVbGlORTVEWkRnMU5rMW5lbmhWUlM5aVNubFFSbkJ4Y1hOTGFqRlBVR0k0YjNoR2VrNXRUM1pZVFVaSU55dDFVbWxFYmtaTk16RlpZVkJ3VTFGRVFUQlRWelZEY25oeVZUQmhZbEZtZVRZNVUza3JlV05MVDJ0cGVEVjFaVmxSY0VKVVprczFlazh6TW1WQ01FeDVWRFZhUW5OSVkxcExiemxEVUhOWlpXTTVhekJDYkc1SU1HeFFaVWRWV0ZoNGF6TXpkVmR4YVVWRUxTMVdSMHMwVFdjdlpXRkNlSE4yY1ROUlRIRnNMM2xuUFQwPS0tNjhiMWYwNjY4YmZhYjI2MjgwYWIzNzc4MDEwMzMxNmU2NzE2ZmRhNw==?cid=1747653071	Get hash	malicious	Unknown	Browse	198.35.26.112
	PO723-0830-01-R1.Xls.html	Get hash	malicious	HTMLPhisher	Browse	198.35.26.112
	https://www.off-re.ru/.6%20c%207/pub-7/ee2ddd450d4/4963aa4c36/a91b2eb6ed/3756c746/96e672e636f6/	Get hash	malicious	HTMLPhisher	Browse	198.35.26.112
	http://arr040.matrixlandline.com/#bS5tYXJ0aW5AaGVsbWl0aW4uY29t	Get hash	malicious	Unknown	Browse	198.35.26.112
	https://receipt1483974.cardom-ingenieria.com/	Get hash	malicious	Unknown	Browse	198.35.26.112
	https://scnv.io/ONN5	Get hash	malicious	HTMLPhisher	Browse	198.35.26.112
	https://www.off-re.ru/.6%20c%207/pub-7/ee2ddd450d4/4963aa4c36/a91b2eb6ed/3756c746/96e672e636f6/	Get hash	malicious	HTMLPhisher	Browse	198.35.26.112
	https://www.off-re.ru/.6%20c%207/pub-7/ee2ddd450d4/4963aa4c36/a91b2eb6ed/3756c746/96e672e636f6/	Get hash	malicious	HTMLPhisher	Browse	198.35.26.112

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AUTOMATTICUS	https://s3dj940.r.us-east-1.awstrack.me/L0/https:%2F%2Fscoalaautovlad.ro%2Fwp-inlcudes%2Fyrgftrgf%2Fkwj1Bv%2FZ3Njb3R0QHdoZWxlbi5jb20=/1/0100018b985215e0-7180c117-b50d-41a4-81a6-cea0d31ef04c-000000/3ypcYBsUPgiVZDpdx86niGXkcRo=346	Get hash	malicious	Unknown	Browse	192.0.78.26
	https://selligenttier.naylorcampaigns.com/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTYyNDExMiZtZXNzYWdlaWQ9NjI0MTEyJmRhdGFiYXNlaWQ9NjI0MTEyJnNlcmlhbD0xNjgyODQwNyZlbWFpbGlkPVRpbUBFbGV2YXRlZGNnLmNvbSZ1c2VyaWQ9MjExMTg2JnRhcmdldGlkPSZtbj0mZmw9Jm12aWQ9JmV4dHJhPSYmJg==&&&9999&&&https://estereovidadarien.org/uwcz/PZHYt/aHJAdXNtZXRyb2JhbmsuY29t	Get hash	malicious	HTMLPhisher	Browse	192.0.78.27
	https://applogyx.com//caltitle.html	Get hash	malicious	HTMLPhisher	Browse	192.0.77.2
	https://neon.page/jarosbaum-bolles	Get hash	malicious	Unknown	Browse	192.0.77.48
	PGiUp8uqGt.exe	Get hash	malicious	FormBook	Browse	192.0.78.25
	PO723-0830-01-R1.Xls.html	Get hash	malicious	HTMLPhisher	Browse	192.0.77.2
	https://newgamingcodes.com/elemental-dungeons-codes/	Get hash	malicious	Unknown	Browse	192.0.78.22
	http://thesocietyhotel.com	Get hash	malicious	Unknown	Browse	192.0.76.3
	http://freshsociety.info	Get hash	malicious	Unknown	Browse	192.0.66.24
	Bank_Information.doc	Get hash	malicious	FormBook	Browse	192.0.78.24
	https://pilotl.ink/r?i=howdy&e=cbstuqapdt2qjdyseeabazkabxpfwh2hs34pl5adac7niw33dpfc3r6t2p74d4iu3wkfbrp3x5otymzawi3wj6unvaful7723trbm4mhlshazedruueefeoi2phhcgao7llh6v4kv5kntajqnk4dgvdc6alcfxbzokounbriy7edemwg4zswa6noduzbhm4mpvhptzaswerirf4ymm3vqa2sztdruwr3cc6a	Get hash	malicious	Unknown	Browse	192.0.76.3
	https://pilotl.ink/r?i=howdy&e=cbstuqapdt2qjdyseeabazkabxpfwh2hs34pl5adac7niw33dpfc3r6t2p74d4iu3wkfbrp3x5otymzawi3wj6unvaful7723trbm4mhlshazedruueefeoi2phhcgao7llh6v4kv5kntajqnk4dgvdc6alcfxbzokounbriy7edemwg4zswa6noduzbhm4mpvhptzaswerirf4ymm3vqa2sztdruwr3cc6a	Get hash	malicious	Unknown	Browse	192.0.76.3
	http://veweeoqh.email/data?_ts=873b3377fcc5f21d21f695cb9b58b61f	Get hash	malicious	Unknown	Browse	192.0.78.27
	JLavGK0bZb.exe	Get hash	malicious	FormBook	Browse	192.0.78.25
	https://allinfo.space/2021/11/13/forklart-hvordan-nasas-dart-oppdrag-vil-treffe-og-avlede-en-asteroide/	Get hash	malicious	HTMLPhisher	Browse	192.0.73.2
	https://bestandssm.xyz/product_details/3974767.html	Get hash	malicious	Unknown	Browse	192.0.78.221
	http://gemmadeealexander.com	Get hash	malicious	HTMLPhisher	Browse	192.0.76.3
	http://jessicadire.com	Get hash	malicious	Unknown	Browse	192.0.77.48
	ForwardedAttachment_2 (1).html	Get hash	malicious	Unknown	Browse	192.0.73.2
	https://allezlens.fr/	Get hash	malicious	Unknown	Browse	192.0.77.40
WIKIMEDIAUS	https://s3dj940.r.us-east-1.awstrack.me/L0/https:%2F%2Fscoalaautovlad.ro%2Fwp-inlcudes%2Fyrgftrgf%2Fkwj1Bv%2FZ3Njb3R0QHdoZWxlbi5jb20=/1/0100018b985215e0-7180c117-b50d-41a4-81a6-cea0d31ef04c-000000/3ypcYBsUPgiVZDpdx86niGXkcRo=346	Get hash	malicious	Unknown	Browse	208.80.154.224
	PO723-0830-01-R1.Xls.html	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://docshare.docshare.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://xeroxdocshare.docshare.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://download.onelaunch.com/latest/Onelaunch%20Software.exe	Get hash	malicious	Unknown	Browse	208.80.154.224
	https://download.onelaunch.com/latest/Onelaunch%20Software.exe	Get hash	malicious	Unknown	Browse	208.80.154.224
	PayStub-Xero038w578.htm	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://crypt.single-sign-on.password.land/XTjJsQ09Ya3pSMnM1V2k5RFEyOVhRMWwzYzNaQ1pFcFNaUzlrTVhCNWRYWlhTbGRKVVZWNlVqZGhabTVqTlVOU1REbDJhWEF4Y0dGRldYcFpRbUYzV21saGFtdHFXVFo2VlZoNGEzaFlTMjR2YjFJMlZrOVlTQ3Q0V1VvNGNYVjRTV2hxTlc4NFEwRm5jVVY1YWs1eE1sZzVSbTlRYUc5aFdUTm5VMWhLZFcweWFrZDBaVGc1V1RKNlpWVnNNRFpyYVhwc2VXVm9ja0pNUlRSbk9UZDJTVWx3VkZGMWNDOUZSazFvYzBWNFVURkxOM2MzVHk4d09XZExORU5XVjJaa2RtdFVSRVU1ZDFWcGRFOXpPRGxzWkd0dVRtbHVSRmczUnpsdk4yNDBTVnA0YlhCVlVXcHFSRmRuZHowdExWTmtObFpsZWpWRFYyRjRkbWh0WjB0WFMwRmlZVUU5UFE9PS0tZTVlMjM2NzQ3N2YxNjk5MWQzNTMyOGZkZjMyNzJjZDIxMWNlNDZlNw==?cid=1780084960	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	e-Statement_Coquitlam October.html	Get hash	malicious	HTMLPhisher	Browse	208.80.153.240
	e-Statement_Coquitlam October.html	Get hash	malicious	HTMLPhisher	Browse	208.80.154.224
	e-Statement_Coquitlam October.html	Get hash	malicious	HTMLPhisher	Browse	208.80.154.224
	https://flowpressstudio.blogspot.com	Get hash	malicious	HTMLPhisher	Browse	208.80.154.240
	https://yaazuuii.github.io/steam/	Get hash	malicious	Unknown	Browse	208.80.154.240
	https://msds.open.edu/signon/samsoff2.aspx?URL=https%3a%2f%2fbredenkamp.co.za%2f.home%2fauths%2f6Ed2%2flaYhB%2f%2f%2f%2fcHJpdmFjeW9mZmljZXJAcmljLm9yZw==	Get hash	malicious	Unknown	Browse	198.35.26.96
	https://secure.payment-gateway.microransom.us/XVFdWa1dtaG5iM1UzU0dFME0yRlBkRUV2UVZWdE5qRkRRMGhFWTBOa1pIZFlSakpvVjJGSFJVbGlORTVEWkRnMU5rMW5lbmhWUlM5aVNubFFSbkJ4Y1hOTGFqRlBVR0k0YjNoR2VrNXRUM1pZVFVaSU55dDFVbWxFYmtaTk16RlpZVkJ3VTFGRVFUQlRWelZEY25oeVZUQmhZbEZtZVRZNVUza3JlV05MVDJ0cGVEVjFaVmxSY0VKVVprczFlazh6TW1WQ01FeDVWRFZhUW5OSVkxcExiemxEVUhOWlpXTTVhekJDYkc1SU1HeFFaVWRWV0ZoNGF6TXpkVmR4YVVWRUxTMVdSMHMwVFdjdlpXRkNlSE4yY1ROUlRIRnNMM2xuUFQwPS0tNjhiMWYwNjY4YmZhYjI2MjgwYWIzNzc4MDEwMzMxNmU2NzE2ZmRhNw==?cid=1747653071	Get hash	malicious	Unknown	Browse	198.35.26.112
	PO723-0830-01-R1.Xls.html	Get hash	malicious	HTMLPhisher	Browse	198.35.26.112
	https://www.off-re.ru/.6%20c%207/pub-7/ee2ddd450d4/4963aa4c36/a91b2eb6ed/3756c746/96e672e636f6/	Get hash	malicious	HTMLPhisher	Browse	198.35.26.96
	http://arr040.matrixlandline.com/#bS5tYXJ0aW5AaGVsbWl0aW4uY29t	Get hash	malicious	Unknown	Browse	198.35.26.96
	https://receipt1483974.cardom-ingenieria.com/	Get hash	malicious	Unknown	Browse	198.35.26.112
	https://scnv.io/ONN5	Get hash	malicious	HTMLPhisher	Browse	198.35.26.112

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Magmutual Health Insurance Benefits Open Enrollment Plan.shtml	Get hash	malicious	HTMLPhisher	Browse	23.1.237.25 20.12.23.50
	https://bafybeihcdppg5ryhs2n3ewfp4ckzj6hyqigmxo2rik6dubkr5oou4brqoi.ipfs.dweb.link/posster1.html#exeter@guidedogs.org.uk	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	https://signinavvsamazoncom.easportingllct.online/?IjQix=FuX8s	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	https://8798464654654.rnzja.io	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	https://de5c3805-9477-4806-bf69-1b51e8a610b1.top/	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	https://in.xero.com/5MuReANKObbI60DorfKRStD9wwBGASE5R7I7NlTP?utm_source=invoiceEmailViewInvoiceButton	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	https://versed-deserted-magnolia.pages.dev/?csa=eiwargaffg&eci=Waldemar.Kramer@zehndergroup.com	Get hash	malicious	HTMLPhisher	Browse	23.1.237.25 20.12.23.50
	Global Partners 401k Retirement Plan.shtml	Get hash	malicious	HTMLPhisher	Browse	23.1.237.25 20.12.23.50
	Global Partners Insurance Benefits Open Enrollment.shtml	Get hash	malicious	HTMLPhisher	Browse	23.1.237.25 20.12.23.50
	https://r20.rs6.net/tn.jsp?f=0012tqreJE6eph5wRlz3kGypk3hqAnDM7rJCqA38KCUEB7Ix7gvB0tTv4b9sI3ZwriqkAVlcXWU0b-xKUz-_kfimMQQc_bbOCm5RF7dC1zJDo3oB5SsGGFqZxwsuE1kuEVzRCZYL9HH_uZfBt6sf4d9Bg==&c=_HnGFulQBIlacMwDFnV-bEOLappfe3SeT_hRqPOotHsW_BOIJYGdRQ==&ch=6innl8VDzOWfNz6ZiScpVnecbl_qVI3laHw7iqPvTRO-6ei6XqibBA==	Get hash	malicious	HTMLPhisher	Browse	23.1.237.25 20.12.23.50
	https://url12.mailanyone.net/scanner?m=1qz1fS-0004Yn-3h&d=4%7Cmail%2F90%2F1699046400%2F1qz1fS-0004Yn-3h%7Cin12a%7C57e1b682%7C21208867%7C12850088%7C6545654636FE57E6E57961A1A15864D3&o=%2Fphta%3A%2Fstsnnmpmio-esphy.ireosapcntrm%2Fe.okaso_%2Faonlipsannsomekd_&s=DaCKk6Yup5aSac-p0fkQtpVQ_7Y	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	file.0xad818da36c30.0xad818ca48660.ImageSectionObject.oneetx.exe.img.exe	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	https://1cpcc.trk.elasticemail.com/tracking/click?d=eAaG_o9dO9qe1DS1Fv_6eTyrD7ldGqE4oV_q251yJRJNffwVCosNHPvH7EOdUMWCXzWyb62d8X2LMp-nVYdVGrBcqyGoDDDgN9lhyWByD2K7XSBhr29N9nZwZJstlzeAAstp0d8wX-WRywRAAA8Z_fs1	Get hash	malicious	Phisher	Browse	23.1.237.25 20.12.23.50
	https://surveys.hotjar.com/59584473-3f99-4aa1-8923-397bb827ba32	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	https://fgrammarly.com.discovertrade.shop/onesystems.com?fnewsystem.com=rp@emfa.pt&&rwavsbazbunfpepqqejbeysicgysmkokivwbjcykzlotbmxziw=9345204729840813482102576&?rilubvhgabkfgkrczkcittxme=93797579764026980334	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	View_Remittance10172023.htm	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	RFQ-10004_PTT #U30d7#U30ed#U30b8#U30a7#U30af#U30c8#U00b7pdf.vbs	Get hash	malicious	GuLoader, Remcos	Browse	23.1.237.25 20.12.23.50
	https://5aj38c.com/Rakuten/index.php	Get hash	malicious	HTMLPhisher	Browse	23.1.237.25 20.12.23.50
	http://mastermicx.online/amazon-RD292-user-card-detail-em-thank/	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50
	https://japan-aoen.shop/index.php	Get hash	malicious	Unknown	Browse	23.1.237.25 20.12.23.50

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:24:03 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9812568445830756
Encrypted:	false
SSDEEP:	48:8Wxd2VTWdWlHfidAKZdA1FehwiZUklqehey+3:8WSjXty
MD5:	33496DB4C0D6FF3551B0503FA824FF04
SHA1:	32A6398B3BC1F7960F45133C5B419DE65DD3492E
SHA-256:	99F299A110FA77FBD910C957FB855BED1AF52C047B489AAC199477C34EBC4069
SHA-512:	8A9794EE7F41E221329FCEFB45F82C3A0EA94BF9AA659F6D3D63DD33CDE2E0F448AE1476D7A988D57435291800274880849B054410563F1763B81D4C146328F7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....b.RF....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfW.z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:24:03 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9986469032631167
Encrypted:	false
SSDEEP:	48:82xd2VTWdWlHfidAKZdA1seh/iZUkAQkqehdy+2:82Sjh9Q0y
MD5:	B09739CBF2ED7C757B10C69E941C0500
SHA1:	8E331BAD0ED58894FE1E43BE39EFC1D02FCE0F2D
SHA-256:	D36316C1B12C4725770884DFCDDCE8FC7E66C0E25C2AF7DE19D09485479FC33B
SHA-512:	27F63EA2E3032657960D2A332657483BCCB65E49B8761744BB577285AB0EBA9679F530C205268AA811DBC3CD2727D19A17F9CED3CEC75D265799491532770F3B
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....".HF....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfW.z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.007910547598522
Encrypted:	false
SSDEEP:	48:8Fd2VTWdWAHfidAKZdA14meh7sFiZUkmgqeh7s7y+BX:8mjCnRy
MD5:	4AA0EADAF23D90ABA23514E4B451EE18
SHA1:	7F5DFB618DB2DF0BC0DCE80FAE3E45B53DBB06D9
SHA-256:	1EAA96B4865679CE0B3AD9216097DADC5DAC4481EE0FB578528E69A95BB0CA0F
SHA-512:	6251949078C1569275EA2FE096C8F4137E39AE7282E88DF8C2C54BEB33A969A04B97BA04FD52E5B29F83235CE9E9EB6F94E3CD01A79115764ACF033A1122BD72
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfW.z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:24:03 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.994070880657054
Encrypted:	false
SSDEEP:	48:8pxd2VTWdWlHfidAKZdA1TehDiZUkwqehZy+R:8pSjSjy
MD5:	DE47E31861D38D7EDB5321692EC76165
SHA1:	E30E1B2F31989DE2070D85B316B2B31C4272465A
SHA-256:	2EA9F3589619B75BECD1131FBD858DE73F2CF8540D6859540FC17B02367C2A4B
SHA-512:	0F313AE6A0D47CF8419FBA9DA67C1B5F1311475F1336A52C645154FEA6D6DD23124DA0F5162EDCEC0903DFB51E4BECB237475A4DDE9924418969AE3E1EEE7DBE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....SKCF....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfW.z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:24:03 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.984710243314853
Encrypted:	false
SSDEEP:	48:8iXvxd2VTWdWlHfidAKZdA1dehBiZUk1W1qeh/y+C:8sSjC9fy
MD5:	1340D6C1AA3CC5B82D68ACF68C0A8E36
SHA1:	CFB08C616BCF49E07595A7AEA6C84EAD87381C1E
SHA-256:	65A441DB6028E0252E65FA861FA87ADD7742988968353B3D9878319764B038C4
SHA-512:	9BD76D73164078FDDE3D7CAAC27F8E59590557F20881770D1CA07ECD4E6E109007A23263E38190C638583ADF671A4A52F04F037D140291CAA1AC54695D81936F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....1.LF....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfW.z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:24:03 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9974360154572284
Encrypted:	false
SSDEEP:	48:8Qxd2VTWdWlHfidAKZdA1duTeehOuTbbiZUk5OjqehOuTbRy+yT+:8QSjYTfTbxWOvTbRy7T
MD5:	D03B350400FCB2160C2B1DAC37B6EEEF
SHA1:	84B7CB9235485453C310BB0794DAA411346D422D
SHA-256:	46CBBA8198F02ED34B973F53775E187F181B2C0DEC942F19FD265EBBFA508564
SHA-512:	5DE83494A702DB27C9973E52F028E518B7ECA21FA50532B1722C4D16ABEF5608A7B5FFC73C3A6A6649EB171A4C3B9C21D3C0E42813E85278EDB10C988FB2E855
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....z6F....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfW.z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 68

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "Created with GIMP", progressive, precision 8, 640x400, components 3
Category:	dropped
Size (bytes):	18036
Entropy (8bit):	7.691605556136008
Encrypted:	false
SSDEEP:	384:YRT0Mz5ykl/OkhnGZLrPLp94+XlOBIsk1nnvAklG1gdBWUy2ITSz:Yl0g5yKWkhQLrt2+yIsuoklJtvz
MD5:	A54B0B7EC6B94319CBAFD286793F2C21
SHA1:	996EE6617102330D0A41DC77A9BA10119624CF58
SHA-256:	CFFDC9F7FAF495C37C4F8F032D63C4381FA434AB564BDE7652BFB6107CADF87F
SHA-512:	440CC787D7C2FDF7C0CA54FE1FE4482038797BBB030199675B6DE742F6F1FEC1343426987F4913493E716352BFC8D49145BCC226C0B866E5DBE75388461D4DEB
Malicious:	false
Reputation:	low
Preview:	......JFIF.....H.H......Created with GIMP...C.....................................#...!....).!$%'('..+.+&.#&'&...C...........&...&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.....................................................................................................Fu.k-...<...........................h.sR.Gu.....g.W..<.`.........................6<...(..%Y..ny.l....R..CP........ ....................!L..L"P...:...MA.....=.;<.4. ..........................8:8:;.`..9)NN..px..a...).J@P.fC2..............9....................@.(.........@P.....NJfjdthq"N.SP....m...N.S#..x.'.).^..fjry.L.Jnhdvtr%....N.@.F.....B..R........\|..Wx.fi..[.{.4.t.........NS.U...\|O.....?.D...M.^..>..[.'.%v............Yuj..y.._..kV%y.SR....`ry.......e;L.C@C..\|_?...8..nz.t....Ow.....HR..S..y<?7...g.M{.}.C....:!.!.1....8}_.q..u..K....>n.h..;}?>..&s...g.9MO.v..x..C...3.5N..A..#.u!.l`...'...E.f........u....E...N^.].v...q.....i..}.S...M.@.......x.L.....k..l.^,..R.....o....s.....x.=Msa..N

Chrome Cache Entry: 69

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 1200 x 198, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	23997
Entropy (8bit):	7.907235227323934
Encrypted:	false
SSDEEP:	384:t8GfuV9jcmqSrSR9GU1lShD/LsaAinmB8V68B+4iSXrzSjNMJiQcgd:t8omJVbSRUU1llaAibVxXrCNYcgd
MD5:	F720AD0A8AA79B2EBBD49B4E93872921
SHA1:	4A878B192FF71EC0E291A916E2A1BF8B2C4FBDA8
SHA-256:	FE233D8742762B04463A2726537F0670548F13B9C350AD107CE3FEE0D5F3D922
SHA-512:	3CF8D6AA6C56964E5E5C7FCD2597EB944BDF4A860B4907B0353F4D3FD060C73F7E81C4E9CCD1B6F1A05A011B828879C5D903A1E3A85C2427DEB3EB5CC10A9E82
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...............y.....gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...#...#.x.?v....tIME...........\.IDATx...w.]U....Lz/.N...&5 M)bE......e/(v...........t.B..@B ..^....=2..df.>.{...<.....w....k.."""""""""""""""""".5u..c..c.......j.L.....0ur{...w0....s..................)........^j...._.&o....\..A..<...9.r5.......H1......G......9...Ss...e&.......Hy....(.'O...3:'.:'"""""""..z5............X""""""""Rh.`........H.).%""""""""...............X""""""""Rh.`........H.).%""""""""...............X""""""""Rh.`........H.).%""""""""...............X""""""""Rh.`........H.).%""""""""...............X""""""""Rh.`........H.).%""""""""...............X""""""""Rh.`........H.).%""""""""...............X""""""""Rh...""""""oef}... ........o..........:...H..`.......f........l...F.C.`.V.....K...kf.".....,..V......DDDDD.f.Y..5.6....M...<T.`...k...........DD.H.,......9f....x.p....3..gtm.....H.(.%"""""5....g.....f..U.Z]D.4.`.....HM.5...\|..s.].ED..X"".

Chrome Cache Entry: 70

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	RIFF (little-endian) data, Web/P image
Category:	downloaded
Size (bytes):	11832
Entropy (8bit):	7.97271771037361
Encrypted:	false
SSDEEP:	192:8SeBrnxzoQyyVNd8MDcpS1By204tJgQbhMHCX6SV2OSH4/jPZncxZNe0y7SlKI3K:8rBdoQ/HM+y204MQ+HzSVsH4Lhnc/408
MD5:	094A88C4BF3CCD448A7F621913EA67C1
SHA1:	4BB99CBE889CE877BF00D814DC5AA0D1C32596F3
SHA-256:	4EC4086BA7EB12AFA46C5C392F30EF15376AAFB91372F24EDCBC4F0CF8E1E571
SHA-512:	0405E8EE645ADDC5D9209900C9019A168D7389EA505DBE9E4D714132180362A111C3F25A3F7E088AA4749D42AF8C586343E49261A6E4A3F0936B902BC2267DCC
Malicious:	false
Reputation:	low
URL:	https://upload.wikimedia.org/wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_365_logo.png
Preview:	RIFF0...WEBPVP8L#.../.D1.5.....?.{.....7..t.Y5i.)uB.;..7Z.j..UD#..4.F..N..")..'.x.F.k.U.1:>j..3....V@I...%.LT....}4.P.E..-^.#.n.q!. .T...KH@.#xo.....6.m'S6;.m..d..t..N.v........)....\|.....~.....9Z./W.I.X#.:$.X#Y..ce<...2.H...$#+.I..2.....V..$YW+..H..!#..I.X...H..$#.....Y.a%IF..%YYce<..dd$.!#..+YY#.:.$c.$.n%+.I.].d.$.5.H.0.."$..f...m.......m.L....Wk&)&5'.v..Z...#..Z..0;.N....h:..;uV}.~.V......s.y..v0'v..C....:..}....wr.~...;....o.7...........2....X$..1O.......)1....-.4{.0.........;.V.V..4..?.0.f.l.....p.E..d..$L.9..v..$`6..H2../..8... a...YH.g..3W...<..l.BU.,6.}$Q...iN....4E..Ms.l6..iJU=f..>.....4F.;v..x..U.`nl...4.Jv..=.JY7..VUg.........T..X,().&7L..^g.....W...\...V.^....X...LW3y.<.j...=".....aW,.;..N.tV.`..".md..M...........%Cu..}M....L]....c.-c...(.N...WT<...uV.b..b(...Z5..+.!&.6V...l..x...25...8...g...,.].*..u..&.cL.@.^.b.kc..2`c.;.\|v...ID{.t6.%1c8+..nJ..a.&...De.e@c.t.q....d..w..9.Q.bS.U1..X.[..F..ylS..-.B.q.].".+.L.K.J...L.l.8.?...{

Chrome Cache Entry: 71

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "Created with GIMP", progressive, precision 8, 640x400, components 3
Category:	downloaded
Size (bytes):	18036
Entropy (8bit):	7.691605556136008
Encrypted:	false
SSDEEP:	384:YRT0Mz5ykl/OkhnGZLrPLp94+XlOBIsk1nnvAklG1gdBWUy2ITSz:Yl0g5yKWkhQLrt2+yIsuoklJtvz
MD5:	A54B0B7EC6B94319CBAFD286793F2C21
SHA1:	996EE6617102330D0A41DC77A9BA10119624CF58
SHA-256:	CFFDC9F7FAF495C37C4F8F032D63C4381FA434AB564BDE7652BFB6107CADF87F
SHA-512:	440CC787D7C2FDF7C0CA54FE1FE4482038797BBB030199675B6DE742F6F1FEC1343426987F4913493E716352BFC8D49145BCC226C0B866E5DBE75388461D4DEB
Malicious:	false
Reputation:	low
URL:	https://dfshultzblog.files.wordpress.com/2018/02/publication_spreadsheet_screenshot_blurred.jpg
Preview:	......JFIF.....H.H......Created with GIMP...C.....................................#...!....).!$%'('..+.+&.#&'&...C...........&...&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.....................................................................................................Fu.k-...<...........................h.sR.Gu.....g.W..<.`.........................6<...(..%Y..ny.l....R..CP........ ....................!L..L"P...:...MA.....=.;<.4. ..........................8:8:;.`..9)NN..px..a...).J@P.fC2..............9....................@.(.........@P.....NJfjdthq"N.SP....m...N.S#..x.'.).^..fjry.L.Jnhdvtr%....N.@.F.....B..R........\|..Wx.fi..[.{.4.t.........NS.U...\|O.....?.D...M.^..>..[.'.%v............Yuj..y.._..kV%y.SR....`ry.......e;L.C@C..\|_?...8..nz.t....Ow.....HR..S..y<?7...g.M{.}.C....:!.!.1....8}_.q..u..K....>n.h..;}?>..&s...g.9MO.v..x..C...3.5N..A..#.u!.l`...'...E.f........u....E...N^.].v...q.....i..}.S...M.@.......x.L.....k..l.^,..R.....o....s.....x.=Msa..N

Static File Info

General

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	4.641222205421066
TrID:	HyperText Markup Language (15015/1) 24.41% HyperText Markup Language with DOCTYPE (12503/2) 20.32% HyperText Markup Language (11501/1) 18.69% HyperText Markup Language (11501/1) 18.69% HyperText Markup Language (11001/1) 17.88%
File name:	Remittance Advice B9623.HTML
File size:	2'794 bytes
MD5:	44a8ea27fc7849ee92442112d1f12de3
SHA1:	4c99958b4bcb9b89d433197f41f0d16f4b6737f1
SHA256:	a116b3362f5b8c0ff155e65ff314231c36beef5d620e4db28eaa3a01a71679b0
SHA512:	718fb3cbfe92d0ffb2f3cffa8deaf84b96ef7d0e3588193764049663fb0fd715765582b0fdb2ad2d8ace96341e3a133c4739504b1f9c46a474feeb6fd45b1434
SSDEEP:	48:t3QL5bF79G8LQj8H81uy3YF0OHv49rO0D2WD7cXRcwDzxg1f6aA7M:CbF7K2vv49NPG9Dzx0IM
TLSH:	C351421985851D4BB03392B46BB24548F78F416343024A683BED72A69FBAAD480B36DC
File Content Preview:	<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <title>Login Page</title>.. <style>.. body {.. margin: 0;.. padding: 0;.

File Icon


Icon Hash:	173149cccc490307

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 144
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2023 16:24:01.086509943 CET	443	49703	23.1.237.25	192.168.2.16
Nov 6, 2023 16:24:01.086721897 CET	49703	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:02.343302965 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.343339920 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:02.343415022 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.343808889 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:02.343848944 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:02.343903065 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:02.344245911 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.344264030 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:02.344468117 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:02.344481945 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:02.442787886 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.442830086 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.442883968 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.443279028 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.443340063 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.443419933 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.443609953 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.443646908 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.443881035 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.443906069 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.508347988 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.508425951 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.508564949 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.508939028 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.508966923 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.509016991 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.509166956 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.509202003 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.509330034 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.509352922 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.684462070 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:02.684715986 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.684762001 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:02.685039043 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:02.685106039 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.685869932 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:02.685921907 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.686863899 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.686919928 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:02.687037945 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.687050104 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:02.690160036 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:02.690345049 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:02.690356970 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:02.691212893 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:02.691268921 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:02.691998959 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:02.692058086 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:02.692150116 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:02.692161083 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:02.730467081 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:02.746423960 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:02.771981955 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.772237062 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.772260904 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.773699999 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.773767948 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.774835110 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.774919033 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.775146961 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.775155067 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.809467077 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.809729099 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.809787989 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.810704947 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.810784101 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.810801029 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.810847998 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.811866999 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.811928988 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.812036991 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.812050104 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.825422049 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.844779968 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.845071077 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.845087051 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.846577883 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.846656084 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.846972942 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.847070932 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.857451916 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.881237984 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.881607056 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.881669998 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.882555962 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.882631063 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.882652998 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.882709026 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.882951975 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.883016109 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.889431953 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.889458895 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:02.936450958 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:02.936466932 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:02.936528921 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:02.984602928 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.001530886 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:03.001652956 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:03.001714945 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:03.002232075 CET	49715	443	192.168.2.16	142.251.33.78
Nov 6, 2023 16:24:03.002252102 CET	443	49715	142.251.33.78	192.168.2.16
Nov 6, 2023 16:24:03.012799025 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:03.012909889 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:03.012968063 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:03.013981104 CET	49716	443	192.168.2.16	142.251.33.109
Nov 6, 2023 16:24:03.013998985 CET	443	49716	142.251.33.109	192.168.2.16
Nov 6, 2023 16:24:03.067945957 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.068026066 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.068079948 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.068084002 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.068125963 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.068135023 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.068180084 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.068186998 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.109225035 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.109427929 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.109450102 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.159418106 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.201633930 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.201651096 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.201678038 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.201692104 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.201704979 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.201721907 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.201735973 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.201741934 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.201795101 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.202635050 CET	49718	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.202647924 CET	443	49718	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.219850063 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.219909906 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.219937086 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.219960928 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.219975948 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.220024109 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.225866079 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.225987911 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.226036072 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.226275921 CET	49717	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.226289988 CET	443	49717	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.362495899 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.362544060 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.362622023 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.362891912 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.362904072 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.390909910 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.390994072 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.391073942 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.391489029 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.391525030 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.472510099 CET	80	49751	72.21.81.240	192.168.2.16
Nov 6, 2023 16:24:03.472596884 CET	49751	80	192.168.2.16	72.21.81.240
Nov 6, 2023 16:24:03.532059908 CET	80	49750	72.21.81.240	192.168.2.16
Nov 6, 2023 16:24:03.532231092 CET	49750	80	192.168.2.16	72.21.81.240
Nov 6, 2023 16:24:03.699986935 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.700269938 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.700326920 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.701108932 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.701196909 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.701488972 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.701539040 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.701690912 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.701698065 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:03.714375019 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.714663029 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.714694977 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.716147900 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.716218948 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.716228962 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.716286898 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.717123032 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.717205048 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.717255116 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.748697042 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:03.761262894 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.764667034 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:03.764698982 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:03.812565088 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:04.004045963 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.004170895 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.004235983 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.004260063 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.004287958 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.004338980 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.004370928 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.004504919 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.004549980 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.004563093 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.045414925 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.045485020 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.045505047 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.094450951 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.105793953 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.105828047 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.105863094 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.105880022 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.105889082 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.105916023 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.106019020 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:04.106019020 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:04.106019020 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:04.106064081 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.155972958 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.156156063 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.156214952 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.156219959 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.156281948 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.156332016 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.158557892 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:04.161729097 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.161959887 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.162030935 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.162451982 CET	49723	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:04.162482023 CET	443	49723	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:04.235713005 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.235729933 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.235760927 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.235852003 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:04.235866070 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.235925913 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:04.246248960 CET	49722	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:04.246289015 CET	443	49722	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:04.446532011 CET	80	49755	72.21.81.240	192.168.2.16
Nov 6, 2023 16:24:04.446604967 CET	49755	80	192.168.2.16	72.21.81.240
Nov 6, 2023 16:24:04.696604967 CET	49673	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:04.696685076 CET	49674	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:04.821472883 CET	80	49756	72.21.81.240	192.168.2.16
Nov 6, 2023 16:24:04.821624041 CET	49756	80	192.168.2.16	72.21.81.240
Nov 6, 2023 16:24:05.094449997 CET	49672	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:06.783170938 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:06.783261061 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:06.783344984 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:06.783576012 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:06.783617020 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:07.106158018 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:07.106651068 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:07.106678009 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:07.107856035 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:07.107949018 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:07.109253883 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:07.109311104 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:07.154445887 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:07.154464006 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:07.202461958 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:15.278381109 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:15.278476954 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:15.278588057 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:15.281342030 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:15.281371117 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:15.762371063 CET	49703	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:15.944436073 CET	443	49703	23.1.237.25	192.168.2.16
Nov 6, 2023 16:24:15.949398041 CET	443	49703	23.1.237.25	192.168.2.16
Nov 6, 2023 16:24:15.949446917 CET	443	49703	23.1.237.25	192.168.2.16
Nov 6, 2023 16:24:15.949484110 CET	443	49703	23.1.237.25	192.168.2.16
Nov 6, 2023 16:24:15.949511051 CET	49703	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:15.949522972 CET	443	49703	23.1.237.25	192.168.2.16
Nov 6, 2023 16:24:15.949543953 CET	49703	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:15.949579000 CET	49703	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:15.960709095 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:15.960794926 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:15.963246107 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:15.963262081 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:15.963490963 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.006230116 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:16.463404894 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:16.509285927 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.904261112 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.904325008 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.904345036 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.904383898 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.904417992 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.904522896 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:16.904522896 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:16.904522896 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:16.904593945 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.904635906 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.904757023 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:16.905013084 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:17.120258093 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:17.120327950 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:17.120408058 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:17.272929907 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:17.272929907 CET	49727	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:17.272975922 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:17.273001909 CET	443	49727	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:18.456454039 CET	49726	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:24:18.456487894 CET	443	49726	142.251.33.100	192.168.2.16
Nov 6, 2023 16:24:21.311950922 CET	443	49703	23.1.237.25	192.168.2.16
Nov 6, 2023 16:24:21.312026978 CET	49703	443	192.168.2.16	23.1.237.25
Nov 6, 2023 16:24:47.896876097 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:24:47.896893978 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:24:47.944850922 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:24:47.944875002 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:24:53.682116032 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:53.682153940 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:53.682317019 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:53.683326006 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:53.683340073 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:54.364350080 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:54.364538908 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:54.368597031 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:54.368607998 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:54.368947983 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:54.378735065 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:54.425328016 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:55.031368971 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:55.031387091 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:55.031424999 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:55.031570911 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:55.031594038 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:55.031784058 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:55.035885096 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:55.035897017 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:24:55.035926104 CET	49732	443	192.168.2.16	20.12.23.50
Nov 6, 2023 16:24:55.035931110 CET	443	49732	20.12.23.50	192.168.2.16
Nov 6, 2023 16:25:02.840061903 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:25:02.840135098 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:25:02.840183973 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:25:04.461405039 CET	49720	443	192.168.2.16	192.0.72.26
Nov 6, 2023 16:25:04.461431980 CET	443	49720	192.0.72.26	192.168.2.16
Nov 6, 2023 16:25:04.461464882 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:25:04.461581945 CET	443	49719	198.35.26.112	192.168.2.16
Nov 6, 2023 16:25:04.461694002 CET	49719	443	192.168.2.16	198.35.26.112
Nov 6, 2023 16:25:06.684964895 CET	49734	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:25:06.685003042 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:06.685110092 CET	49734	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:25:06.685400009 CET	49734	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:25:06.685415030 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:07.002969027 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:07.003262043 CET	49734	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:25:07.003320932 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:07.003798962 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:07.004142046 CET	49734	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:25:07.004229069 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:07.050959110 CET	49734	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:25:16.999592066 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:16.999650002 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:16.999934912 CET	49734	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:25:18.455982924 CET	49734	443	192.168.2.16	142.251.33.100
Nov 6, 2023 16:25:18.456008911 CET	443	49734	142.251.33.100	192.168.2.16
Nov 6, 2023 16:25:31.788975000 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:31.789015055 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:31.789233923 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:31.789525986 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:31.789544106 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.105050087 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.105506897 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:32.105565071 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.105899096 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.106017113 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:32.106489897 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.106580019 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:32.108421087 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:32.108480930 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.108597040 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:32.108611107 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.157217979 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:32.465084076 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.465778112 CET	443	49737	142.251.215.238	192.168.2.16
Nov 6, 2023 16:25:32.465864897 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:32.466015100 CET	49737	443	192.168.2.16	142.251.215.238
Nov 6, 2023 16:25:32.466069937 CET	443	49737	142.251.215.238	192.168.2.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2023 16:24:02.187903881 CET	49458	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:02.188262939 CET	56983	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:02.189359903 CET	49396	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:02.189708948 CET	61875	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:02.214427948 CET	53	62486	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:02.279230118 CET	59019	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:02.279762030 CET	52959	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:02.280527115 CET	54051	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:02.280972958 CET	51956	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:02.341082096 CET	53	56983	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:02.342242002 CET	53	49396	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:02.342257023 CET	53	49458	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:02.342578888 CET	53	61875	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:02.431715012 CET	53	59019	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:02.434564114 CET	53	52959	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:02.437526941 CET	53	54051	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:02.437952995 CET	53	51956	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:03.207698107 CET	53	62654	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:03.208244085 CET	55455	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:03.208553076 CET	63695	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:03.233803988 CET	52690	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:03.234045029 CET	53719	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:03.361080885 CET	53	55455	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:03.361985922 CET	53	63695	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:03.389902115 CET	53	53719	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:03.390297890 CET	53	52690	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:06.627590895 CET	56455	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:06.627911091 CET	61422	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:24:06.781409979 CET	53	61422	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:06.781559944 CET	53	56455	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:20.308619022 CET	138	138	192.168.2.16	192.168.2.255
Nov 6, 2023 16:24:20.313213110 CET	53	55393	1.1.1.1	192.168.2.16
Nov 6, 2023 16:24:39.093693972 CET	53	54950	1.1.1.1	192.168.2.16
Nov 6, 2023 16:25:02.031940937 CET	53	56483	1.1.1.1	192.168.2.16
Nov 6, 2023 16:25:02.187249899 CET	53	58168	1.1.1.1	192.168.2.16
Nov 6, 2023 16:25:30.687761068 CET	53	62148	1.1.1.1	192.168.2.16
Nov 6, 2023 16:25:31.634654045 CET	53075	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:25:31.634773970 CET	64246	53	192.168.2.16	1.1.1.1
Nov 6, 2023 16:25:31.787533045 CET	53	53075	1.1.1.1	192.168.2.16
Nov 6, 2023 16:25:31.787552118 CET	53	64246	1.1.1.1	192.168.2.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 6, 2023 16:24:02.187903881 CET	192.168.2.16	1.1.1.1	0xad94	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.188262939 CET	192.168.2.16	1.1.1.1	0x6630	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Nov 6, 2023 16:24:02.189359903 CET	192.168.2.16	1.1.1.1	0x5133	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.189708948 CET	192.168.2.16	1.1.1.1	0x4a11	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Nov 6, 2023 16:24:02.279230118 CET	192.168.2.16	1.1.1.1	0xc977	Standard query (0)	upload.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.279762030 CET	192.168.2.16	1.1.1.1	0xe60f	Standard query (0)	upload.wikimedia.org	65	IN (0x0001)	false
Nov 6, 2023 16:24:02.280527115 CET	192.168.2.16	1.1.1.1	0x153e	Standard query (0)	dfshultzblog.files.wordpress.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.280972958 CET	192.168.2.16	1.1.1.1	0xa81c	Standard query (0)	dfshultzblog.files.wordpress.com	65	IN (0x0001)	false
Nov 6, 2023 16:24:03.208244085 CET	192.168.2.16	1.1.1.1	0x46a8	Standard query (0)	upload.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:03.208553076 CET	192.168.2.16	1.1.1.1	0x1426	Standard query (0)	upload.wikimedia.org	65	IN (0x0001)	false
Nov 6, 2023 16:24:03.233803988 CET	192.168.2.16	1.1.1.1	0x6125	Standard query (0)	dfshultzblog.files.wordpress.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:03.234045029 CET	192.168.2.16	1.1.1.1	0xcf16	Standard query (0)	dfshultzblog.files.wordpress.com	65	IN (0x0001)	false
Nov 6, 2023 16:24:06.627590895 CET	192.168.2.16	1.1.1.1	0x4e80	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:06.627911091 CET	192.168.2.16	1.1.1.1	0xcb97	Standard query (0)	www.google.com	65	IN (0x0001)	false
Nov 6, 2023 16:25:31.634654045 CET	192.168.2.16	1.1.1.1	0x151a	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:25:31.634773970 CET	192.168.2.16	1.1.1.1	0xf5c9	Standard query (0)	clients1.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 6, 2023 16:24:02.341082096 CET	1.1.1.1	192.168.2.16	0x6630	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:24:02.342242002 CET	1.1.1.1	192.168.2.16	0x5133	No error (0)	accounts.google.com		142.251.33.109	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.342257023 CET	1.1.1.1	192.168.2.16	0xad94	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:24:02.342257023 CET	1.1.1.1	192.168.2.16	0xad94	No error (0)	clients.l.google.com		142.251.33.78	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.431715012 CET	1.1.1.1	192.168.2.16	0xc977	No error (0)	upload.wikimedia.org		198.35.26.112	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.437526941 CET	1.1.1.1	192.168.2.16	0x153e	No error (0)	dfshultzblog.files.wordpress.com	s6.files.wordpress.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:24:02.437526941 CET	1.1.1.1	192.168.2.16	0x153e	No error (0)	s6.files.wordpress.com		192.0.72.26	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.437526941 CET	1.1.1.1	192.168.2.16	0x153e	No error (0)	s6.files.wordpress.com		192.0.72.27	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:02.437952995 CET	1.1.1.1	192.168.2.16	0xa81c	No error (0)	dfshultzblog.files.wordpress.com	s6.files.wordpress.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:24:03.361080885 CET	1.1.1.1	192.168.2.16	0x46a8	No error (0)	upload.wikimedia.org		198.35.26.112	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:03.389902115 CET	1.1.1.1	192.168.2.16	0xcf16	No error (0)	dfshultzblog.files.wordpress.com	s6.files.wordpress.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:24:03.390297890 CET	1.1.1.1	192.168.2.16	0x6125	No error (0)	dfshultzblog.files.wordpress.com	s6.files.wordpress.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:24:03.390297890 CET	1.1.1.1	192.168.2.16	0x6125	No error (0)	s6.files.wordpress.com		192.0.72.26	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:03.390297890 CET	1.1.1.1	192.168.2.16	0x6125	No error (0)	s6.files.wordpress.com		192.0.72.27	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:24:06.781409979 CET	1.1.1.1	192.168.2.16	0xcb97	No error (0)	www.google.com			65	IN (0x0001)	false
Nov 6, 2023 16:24:06.781559944 CET	1.1.1.1	192.168.2.16	0x4e80	No error (0)	www.google.com		142.251.33.100	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:25:31.787533045 CET	1.1.1.1	192.168.2.16	0x151a	No error (0)	clients1.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:25:31.787533045 CET	1.1.1.1	192.168.2.16	0x151a	No error (0)	clients.l.google.com		142.251.215.238	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:25:31.787552118 CET	1.1.1.1	192.168.2.16	0xf5c9	No error (0)	clients1.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

clients2.google.com

accounts.google.com

dfshultzblog.files.wordpress.com

upload.wikimedia.org

slscr.update.microsoft.com

clients1.google.com

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 6, 2023 16:24:15.949484110 CET	23.1.237.25	443	192.168.2.16	49703	CN=r.bing.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure ECC TLS Issuing CA 05, O=Microsoft Corporation, C=US	CN=Microsoft Azure ECC TLS Issuing CA 05, O=Microsoft Corporation, C=US CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Oct 18 22:32:40 CEST 2023 Wed Aug 12 02:00:00 CEST 2020	Fri Jun 28 01:59:59 CEST 2024 Fri Jun 28 01:59:59 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-16-23-65281,29-23-24,0	28a2c9bd18a11de089ef85a160da29e4
Nov 6, 2023 16:24:15.949484110 CET	23.1.237.25	443	192.168.2.16	49703	CN=Microsoft Azure ECC TLS Issuing CA 05, O=Microsoft Corporation, C=US	CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Aug 12 02:00:00 CEST 2020	Fri Jun 28 01:59:59 CEST 2024		28a2c9bd18a11de089ef85a160da29e4

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.16	49715	142.251.33.78	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:02 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.132 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.16	49716	142.251.33.109	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:02 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=LtGInZ4I4WDrCvCHQBVMHOy4a-sqzpSrMO-Rwr8ezStTz_kfoi2bri7uGdXfNvskAEO_Tj5Jkwl0XSN-qA6MYiGShcDB_vNQOl1bpl3aua7gMrDRvWsHLpAuFBlBnNxTMeen95XElzx3r4myG8p8sgSHdx4NBawYGaI5oFn_dZ8
2023-11-06 15:24:02 UTC	1	OUT	Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.0.72.26	443	192.168.2.16	49723	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:03 UTC	37	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 06 Nov 2023 15:24:03 GMT Content-Type: image/jpeg Content-Length: 18036 Connection: close Last-Modified: Sun, 04 Feb 2018 03:55:00 GMT Expires: Sat, 16 Dec 2023 13:35:53 GMT X-Orig-Src: 01_mogdir Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://dfshultzblog.wordpress.com Vary: Origin X-nc: HIT sea 26 np X-Content-Type-Options: nosniff Accept-Ranges: bytes
2023-11-06 15:24:03 UTC	37	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff fe 00 13 43 72 65 61 74 65 64 20 77 69 74 68 20 47 49 4d 50 ff db 00 43 00 06 04 05 05 05 04 06 05 05 05 07 06 06 07 09 0f 0a 09 08 08 09 13 0d 0e 0b 0f 16 13 17 17 16 13 15 15 18 1b 23 1e 18 1a 21 1a 15 15 1e 29 1f 21 24 25 27 28 27 18 1d 2b 2e 2b 26 2e 23 26 27 26 ff db 00 43 01 06 07 07 09 08 09 12 0a 0a 12 26 19 15 19 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 ff c2 00 11 08 01 90 02 80 03 01 11 00 02 11 01 03 11 01 ff c4 00 1b 00 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 01 03 02 04 05 06 07 ff c4 00 1a 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 Data Ascii: JFIFHHCreated with GIMPC#!)!$%'('+.+&.#&'&C&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
2023-11-06 15:24:03 UTC	38	IN	Data Raw: f5 71 e3 ed f2 f9 12 69 14 e3 ae 7d bf 53 cd be f3 0e 4d cf 40 00 85 00 00 01 0a 08 78 fa 4c f5 9e e5 e6 ce 6b bc de 6c ee 5e 2c a0 87 52 ac ca bb 8a bc d9 a6 6f 16 02 93 b9 73 d4 ea 0b 13 b9 78 b3 3d 4d 73 61 d4 bc d9 4e 28 90 1d 1d e6 96 59 d4 b9 6a 44 b9 df 27 72 e5 a9 4e a2 c9 dc bc d9 c9 4e b4 27 72 e5 a9 63 e9 71 d8 10 a0 00 00 04 28 21 e7 ae 0f 41 d0 20 28 07 07 91 61 ea 38 32 3d 49 d8 00 c8 c8 ec e0 1a 19 14 e4 dc ec f3 94 86 86 a0 a0 02 14 00 66 62 72 7a 4e c8 50 01 0a 00 06 92 8a 40 00 05 00 10 a4 21 9a 74 bd 82 9c 94 a0 18 4d 7c fc f7 92 f6 41 67 d0 d7 9f 6b 00 87 24 29 01 4e 4a 43 b0 72 52 1d 14 14 02 02 80 0e 08 43 42 90 14 02 02 80 73 1e 2a a9 ed 58 78 ca 9b 2f 94 dd 3d 4a 00 87 26 07 21 0b d9 c9 e9 21 4a 01 e7 9b f9 78 f4 62 68 70 68 9f 5b Data Ascii: qi}SM@xLkl^,Rosx=MsaN(YjD'rNN'rcq(!A (a82=IfbrzNP@!tM\|Agk$)NJCrRCBs*Xx/=J&!!Jxbhph[
2023-11-06 15:24:03 UTC	39	IN	Data Raw: 07 25 00 00 00 00 a0 10 14 00 72 52 80 40 50 08 0a 01 01 40 21 0e 80 04 05 00 80 a0 10 f3 fc 9f 48 13 a4 cf e8 70 ef 53 62 14 d0 cc 1d a6 ab 0c 4e 13 a3 b5 00 63 37 84 df 71 d2 8e ae 76 d7 20 00 00 01 0a 00 21 40 00 00 00 00 00 00 04 28 00 85 00 00 00 06 3f 2f d2 04 de 78 f7 f1 eb 53 d0 9b 28 00 08 0c 0e 4a 9d a8 03 09 bf 36 77 a2 e8 0b 73 b6 b9 50 00 00 02 14 00 42 80 08 50 00 00 00 42 80 08 50 01 0a 00 00 00 0f 07 e7 fd d4 17 ae 1f 63 cb a6 f3 ec 5a 01 d0 04 07 9c e0 d5 34 50 04 28 00 e6 5e 1a 01 16 bb b8 a0 02 14 00 42 80 08 50 00 00 00 42 80 08 50 01 0a 00 00 00 0f 1e 2f b4 a7 07 87 53 aa d8 c2 38 ae cf 61 a8 21 0f 39 c9 d2 74 a0 08 50 01 84 df ca c7 7e 96 03 b4 fa 5b f3 6d 60 02 14 00 42 80 08 50 00 00 00 42 80 08 50 01 0a 00 21 40 00 d7 9d a0 e2 bc Data Ascii: %rR@P@!HpSbNc7qv !@(?/xS(J6wsPBPBPcZ4P(^BPBP/S8a!9tP~[m`BPBP!@
2023-11-06 15:24:03 UTC	41	IN	Data Raw: f2 b8 67 eb 72 9b 8b 32 9b 18 fb 21 0f e5 f9 1e 07 d5 64 7d 56 42 fe 43 3e a3 23 c7 e6 6d e3 99 8f b3 52 0d 0f f3 4c 55 34 34 1f a3 17 4d 48 43 f9 7e 57 e3 3e b5 8b f9 6d 9f 52 cf aa 67 83 ce f2 6b 31 3a 42 0c d8 c7 d9 a9 0c ff 00 1c b3 b5 23 b5 0b c8 be 79 e7 a8 bc c8 ed 42 c9 31 a4 63 11 b1 4d 91 e7 c1 66 7d 2e 22 fe 2a 3e 99 1f 4c 8f a6 47 d2 62 7d 26 27 d2 a4 7d 32 17 f1 d1 8e 38 a3 5c 49 89 ae 26 a8 f4 44 28 8b c7 f2 3c 4b 33 e9 71 3e 93 13 e9 91 f4 c8 c3 c0 90 96 22 68 bc 31 a4 6a 85 11 b1 47 05 0d 91 b2 29 ff 00 d1 22 17 3f c6 7e d6 48 5e 44 76 9d a2 f2 d3 d3 14 36 36 43 f6 b9 cb f1 9f 85 b6 bc 39 18 f8 9d c7 f1 f1 f3 61 b0 bc 0c e9 c8 f1 e0 f1 32 4c 49 91 91 91 9a b3 56 24 34 46 46 3c 59 8e 2c 69 91 9a b3 56 47 35 66 ac 8e 3c 58 93 26 46 14 a6 7e Data Ascii: gr2!d}VBC>#mRLU44MHC~W>mRgk1:B#yB1cMf}."*>LGb}&'}28\I&D(<K3q>"h1jG)"?~H^Dv66C9a2LIV$4FF<Y,iVG5f<X&F~
2023-11-06 15:24:03 UTC	42	IN	Data Raw: 94 a5 29 4a 52 94 a5 29 4a 5f 86 43 6a ec 8a 9b 58 23 ad 1a 9d 68 eb 46 8b 87 f7 5a a7 5a 16 06 a6 a6 a2 fd 7f 61 d8 76 1b 9e 88 8d 52 17 90 ec 16 43 cc ec 16 57 87 ca 44 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 1d 67 59 d6 68 7a 3d 0b d9 d6 75 8b 11 f8 ce b3 1c 27 0f 94 ca 52 94 cb 38 77 0b ca 76 1d 82 cc a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4e c3 b0 ec 37 a6 a6 a6 2a 7d 86 42 09 10 84 21 9e 14 e8 17 8a 1d 67 58 b0 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 1a b3 56 6a c8 c4 62 53 64 5f 8b 1f 18 94 a5 29 4a 52 94 79 1d 88 ec 47 62 3b 11 ba 16 45 29 4a 52 94 a5 29 4a 52 Data Ascii: )JR)J_CjX#hFZZavRCWD!B!B!B!B!B!B!B!BgYhz=u'R8wv)JR)JR)JR)JR)JR)JR)N7*}B!gX!B!B!B!B!B!B!BVjbSd_)JRyGb;E)JR)JR
2023-11-06 15:24:03 UTC	43	IN	Data Raw: 35 0d 42 e5 c7 98 ff 00 b0 64 92 49 27 d2 e0 a1 42 85 0a fa 5e 24 a2 51 2b f8 63 f4 b9 24 92 49 ff 00 10 7f ff c4 00 26 11 00 02 01 02 05 04 03 01 01 00 00 00 00 00 00 00 00 11 01 02 14 03 12 13 21 40 04 10 31 50 20 30 60 70 80 ff da 00 08 01 02 01 01 3f 01 ff 00 7b 31 c0 e0 70 38 33 40 e0 70 38 1c 0f eb 63 81 c0 e0 cc 3f 6d 8f 89 34 93 d4 d4 5d 54 5d d4 5d d4 47 55 51 73 51 73 51 3d 55 45 dd 45 1d 55 53 26 15 4e 3e ac 7c 49 a4 b9 a8 b9 a8 ba a8 bb a8 c0 ea 26 a9 29 f1 f7 d5 26 63 31 9c ce 45 43 18 c6 3f 8d 5e 38 f8 b8 59 8b 42 cc b2 82 ca 0b 32 d0 b4 2c cb 28 29 e9 22 0a 29 51 f5 62 e1 66 2d 0b 42 ce 0b 28 30 fa 6c b2 47 df 5f c6 aa f2 97 12 5c 49 73 25 cc 94 63 cc c9 4c b8 f8 4c 3e 42 ec 84 21 76 42 17 d8 bb 21 0b 81 55 26 53 29 90 c9 26 26 1c c9 a1 26 Data Ascii: 5BdI'B^$Q+c$I&!@1P 0`p?{1p83@p8c?m4]T]]GUQsQsQ=UEEUS&N>\|I&)&c1EC?^8YB2,()")Qbf-B(0lG_\Is%cLL>B!vB!U&S)&&&
2023-11-06 15:24:04 UTC	45	IN	Data Raw: b4 ca ac 51 0f 66 b0 93 91 94 6e 49 5e 9c a0 cd 0a 5e 9b 31 61 2f 62 47 a7 02 9c 95 14 a3 e9 05 b9 22 2f a1 d8 43 44 56 3a 10 85 a4 8c 42 9e c5 dc fd 88 f6 17 31 2e 08 fa 76 13 b2 5b 05 e2 62 5e c5 ee 89 37 1a a2 23 fb 0b 32 38 f0 49 c9 9f 91 c3 93 bc ec 17 d0 78 ff 00 a2 fb 1d c7 a8 c4 5f 24 82 fb 1d 83 bf 27 d8 76 99 79 1f b0 7d 24 dc 8e dc 88 8f 2c 58 18 b0 5b 87 a5 7f 61 34 e4 ee 33 f2 76 97 c9 90 22 0d 60 c4 16 58 fe 87 68 90 7d c7 68 be a7 79 49 65 8c f4 4b e4 2d e8 ea 1b 18 b4 6a f3 ad 09 79 3e a3 ea 3b 8b 4b 2c 82 08 18 a8 a8 a8 82 08 20 82 08 2a 2a 19 41 dd c0 8f 10 c7 36 aa a5 a0 53 d1 7a e9 bb 08 d8 e6 31 19 75 d4 6e 46 61 c4 5a 6a 96 9d 12 17 a2 bd 3d 03 b6 f2 a6 55 c6 4f 42 70 ca 3f 27 0e 06 f7 82 be 08 fe 1f 81 9c e0 6f 82 fc 9d 1a 2a c3 90 Data Ascii: QfnI^^1a/bG"/CDV:B1.v[b^7#28Ix_$'vy}$,X[a43v"`Xh}hyIeK-jy>;K, *A6Sz1unFaZj=UOBp?'o
2023-11-06 15:24:04 UTC	46	IN	Data Raw: ff 00 eb cf ff 00 fd ed fb 2b f9 3f ff 00 fd f8 7f 0e 49 42 08 96 13 a2 08 a3 d8 1c 46 91 82 5b ff 00 e8 51 45 58 b6 7b 2b cf ff 00 fd ed fb 2b 6f d7 9f ff 00 fb 2b c1 f0 c2 1b b4 8f be 1d c0 62 37 1e d3 43 c5 14 35 31 6d fa f3 ff 00 ff 00 7b 7e ca db f5 e7 ff 00 fe ca db f4 fa d4 0c 9c 88 ef 23 60 6a b4 24 bb 38 14 46 34 24 92 49 20 82 08 20 42 3b 36 99 21 92 49 24 92 49 24 92 49 24 92 48 d4 92 49 24 6a 25 24 92 49 12 92 49 24 92 49 24 92 49 24 92 48 d4 92 49 24 92 fc 89 21 06 01 e8 9f b0 bc 02 45 28 e3 92 eb c4 74 81 19 19 19 19 19 19 19 19 19 19 61 cb 91 f4 19 b9 17 d8 4d 79 29 88 c8 c8 c8 c8 c8 c8 c8 c8 c8 c8 c8 c8 c8 c6 99 19 19 19 18 d3 12 64 64 64 64 62 4c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 69 91 91 91 91 91 94 41 22 60 fd 03 a0 73 1a bd 1f Data Ascii: +?IBF[QEX{++o+b7C51m{~#`j$8F4$I B;6!I$I$I$HI$j%$II$I$I$HI$!E(taMy)ddddbLiA"`s
2023-11-06 15:24:04 UTC	62	IN	Data Raw: b7 ba 48 24 92 01 24 0d b6 5c 92 c4 93 22 49 04 92 09 20 23 c1 28 92 48 00 0c 00 00 00 13 52 98 00 04 92 00 00 c8 40 98 01 88 f7 86 db 00 02 40 04 39 45 2c 82 48 20 8e 49 24 92 6d fb 56 48 17 ed b9 24 e6 d3 a4 90 4e df 6a 12 64 90 09 21 92 00 60 92 48 00 0c 00 00 00 40 00 90 01 12 e4 80 00 80 01 03 6e 00 00 2f 00 e0 02 40 01 80 59 24 10 49 24 dc 00 00 00 08 00 90 01 00 00 00 00 10 00 95 b7 40 00 00 00 20 02 40 04 8b 19 4c 02 49 20 4c 00 00 00 08 00 80 01 00 00 00 00 10 01 8a 49 e0 00 00 00 20 00 40 04 b6 04 0c 80 49 04 7e 49 00 92 65 fb de 48 24 92 01 24 82 49 1f fd b9 20 12 49 04 92 09 20 f7 43 68 80 48 12 9c 00 04 00 4f 38 4e 01 00 00 08 00 10 00 20 02 00 04 80 00 20 00 40 04 59 02 4c 02 c9 04 8e 49 24 92 42 49 32 49 24 92 49 24 92 48 04 90 49 24 92 49 Data Ascii: H$$\"I #(HR@@9E,H I$mVH$Njd!`H@n/@Y$I$@ @LI LI @I~IeH$$I I ChHO8N @YLI$BI2I$I$HI$I
2023-11-06 15:24:04 UTC	63	IN	Data Raw: 13 97 5f 98 96 8e 27 3f 3b 7a 41 05 a1 17 44 10 41 04 7a 10 54 54 3e c7 3e bf 31 32 94 a8 7d 8e 7d 34 10 b4 2e 46 d8 a5 45 45 58 42 10 84 f1 d1 45 0d 68 6e f5 e1 8d 94 50 dd 8d dd 2d e1 4a 51 3d 2d 78 c1 02 ca 28 ac 10 49 24 89 4b c4 b9 f4 ed 69 04 ba b1 c6 8a 28 a7 89 7b 66 e1 59 b9 b9 b8 db 1a f7 17 ae 43 73 73 73 71 d1 5f 56 8a 28 6a 43 db af 41 1a c2 87 23 53 ab 08 42 10 9d 59 27 02 5a 1e be bb c6 24 20 82 44 0d 5f af a2 8a 2b b3 4a 56 52 ff 00 65 d9 65 96 59 65 96 37 fc 3f 31 14 22 20 81 a8 c0 b1 49 23 9f 62 32 8a 28 8f d5 27 04 c5 14 59 45 14 58 d9 8f 7e ba d6 25 20 82 04 c1 37 f5 f0 84 27 61 a1 65 94 50 dd 8d df 5f 04 10 2d 21 23 fc 7f ba 1a be 95 f4 84 d0 fd a5 96 59 34 24 7d 29 e9 8b 0f db 80 96 87 af ae 95 28 b2 cb 1b 21 a9 eb ec a2 8a ec 73 12 Data Ascii: _'?;zADAzTT>>12}}4.FEEXBEhnP-JQ=-x(I$Ki({fYCsssq_V(jCA#SBY'Z$ D_+JVReeYe7?1" I#b2('YEX~% 7'aeP_-!#Y4$})(!s
2023-11-06 15:24:04 UTC	65	IN	Data Raw: 58 be d3 a3 1e d1 34 d0 c6 a1 58 ec a5 0b 88 f0 33 89 70 cc 91 1d 1d c4 72 e4 ba 42 5c 92 a1 8b 01 08 0d da a1 74 40 b9 21 da 20 1c 07 a8 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 82 18 d0 92 24 21 63 42 4e c1 09 4f 84 8a a0 a4 8d 08 48 8b c8 5c 58 8b 24 5d d8 21 30 21 23 1b 76 09 1e 04 a7 60 b4 88 62 b9 a1 4b 10 f2 26 4c 80 21 3c c4 a8 9a 19 16 4b d7 70 44 4f 44 a4 63 fa 90 8a 91 3a 42 44 a0 b3 a7 81 5c c5 91 22 18 2d 45 73 42 dc 21 0b 1a 38 14 51 41 b6 a1 5a 43 5a 86 00 11 8c 3c a9 09 54 10 89 21 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 7f e0 d4 55 15 44 34 09 fe 7f ce 08 82 1b 44 93 6f d6 0b 67 d6 89 fd 82 21 7d 48 ad 9f 13 40 fb d1 b9 1b 11 b9 1b 90 9f fe 10 44 2f f2 22 08 ad bf 35 59 59 58 cc 67 0a ca ca c4 65 0e de 45 65 65 65 74 62 43 c1 8a Data Ascii: X4X3prB\t@! !B!B!B$!cBNOH\X$]!0!#v`bK&L!<KpDODc:BD\"-EsB!8QAZCZ<T!JR)JR)JR)UD4Dog!}H@D/"5YYXgeEeeetbC
2023-11-06 15:24:04 UTC	66	IN	Data Raw: b6 27 48 be cb ec be cc 31 8d bc af 84 a1 c7 c2 83 b0 49 88 be cb ec be c6 f3 91 35 2f b2 fb 2f b2 fb 1b de 44 fd 97 d9 7d 97 d8 df b1 77 17 d9 7d 97 d9 da 1b d9 7d 97 d9 7d 8d e7 23 7b 2f b2 fb 2f b2 fb 2e f2 5f 65 f6 5f 65 f6 37 bc 89 fb 2f b2 fb 2f b1 bd 89 fb 2f b2 fb 2f b1 8d 43 50 d4 35 07 1e b2 2a f9 41 cf 86 36 89 1c 33 0b 91 62 47 f0 0d 28 d9 93 21 82 33 e2 63 0f 22 36 b2 46 46 46 46 55 28 8c 8c 8c c7 92 5e 4d 86 c3 61 6f 26 68 8c 8c 8c 69 89 a9 19 19 19 19 54 a2 32 32 31 82 4c 8c 8c 8c 46 23 23 23 23 1b 41 19 19 19 19 45 52 32 32 32 31 b5 12 64 64 64 63 06 11 91 91 8d a0 d5 15 8a ed 66 d2 8c b3 88 c3 68 1a 96 87 20 85 51 8c 22 10 83 46 c4 96 46 47 05 71 3e c8 01 93 ea 01 0f 68 73 55 19 e6 6c 36 0d 6b 58 d2 5f a0 0c 17 d4 00 c9 f6 00 0b e8 aa fe Data Ascii: 'H1I5//D}w}}}#{//._e_e7////CP5*A63bG(!3c"6FFFFU(^Mao&hiT221LF####AER2221dddcfh Q"FFGq>hsUl6kX_
2023-11-06 15:24:04 UTC	67	IN	Data Raw: 46 47 48 c8 c8 c8 c6 98 93 23 23 23 20 d0 71 89 93 0d 31 9d 79 2e c3 57 92 87 5c e4 d9 8c 1a 19 b2 d0 c5 01 34 0a 7c a8 47 cc 27 a8 51 6a 86 3b 31 d9 8e c4 b6 2c 10 b1 0b 90 f7 27 a4 f4 9e 93 d2 65 3d 27 a4 f4 9e 91 3e 84 bb a2 76 27 62 76 1f 61 a6 7a 4f 49 e9 1e 91 57 c1 e9 3d 27 a4 f4 99 7c 1e 93 d2 7a 4f 49 a2 2d 27 a4 f4 9e 93 44 d1 3d 27 a4 f4 8f 48 ab e0 f4 9e 93 d2 7a 4c be 0f 49 e9 3d 27 a4 75 f0 2d 27 a4 f4 9e 91 34 70 6f 56 90 9f 09 1a d1 ad 11 f0 8c dc 0d 61 ed 48 32 b8 3d af 82 b1 48 23 26 17 50 44 c8 70 e1 8e 92 31 69 46 42 66 01 19 c0 96 f0 35 70 5f 65 f6 5f 65 f6 5d e4 be cb ec be cb ec 7e 69 8d ab 22 8c d3 73 37 31 c7 cb 18 e4 5f 65 f6 5f 63 7e c4 f7 92 fb 2f b2 fb 2f b2 ef 25 f6 5f 65 f6 5f 63 7e c4 fd 97 d9 7d 97 d8 de c6 f6 5f 65 f6 5f Data Ascii: FGH### q1y.W\4\|G'Qj;1,'e='>v'bvazOIW='\|zOI-'D='HzLI='u-'4poVaH2=H#&PDp1iFBf5p_e_e]~i"s71_e_c~//%_e_c~}_e_
2023-11-06 15:24:04 UTC	69	IN	Data Raw: b2 42 c8 db 0b 98 38 ed 51 d0 5c 70 7f 0f e1 fc 2e 47 e0 3c 86 4e 7e 3f c3 f8 7f 0f e1 e7 81 1f c3 f8 7f 06 75 07 9a 34 23 55 b3 00 df 11 a5 54 80 cf e1 fc 3f 83 e0 e4 7f 0f e1 fc 3f 85 c9 fc 3f 87 f0 fe 0f 91 70 7f 0f e1 fc f9 3f 87 f0 fe 0f 81 b2 7f 0f e1 fc 3f 87 93 f8 7f 0f e1 fc 1f 22 3f 87 f0 fe 1e 87 a1 fc 3f 87 f0 66 2c 18 30 73 c3 3a 31 62 db 11 29 b2 9e 04 92 f0 60 c1 83 06 06 f0 f8 a5 fc 70 60 c1 83 14 50 c1 83 05 14 90 e3 31 a4 63 83 15 b8 62 a8 da 63 10 86 0c 18 1c 87 23 06 0c 18 31 4c 18 30 60 72 8a 43 06 0c 10 41 83 06 07 21 14 c1 83 06 0f 26 0c 18 30 3e 45 0c 18 30 41 06 0c 18 1c 19 4f 33 06 0e 58 32 34 44 56 10 ea 26 9c 1a ad e4 c1 83 06 0c 18 1b c0 72 48 b6 6e 60 c1 83 06 28 a1 83 06 0e 60 5d 48 d4 86 df 03 48 8e 52 42 a4 a2 30 60 c0 e4 Data Ascii: B8Q\p.G<N~?u4#UT???p??"??f,0s:1b)`p`P1cbc#1L0`rCA!&0>E0AO3X24DV&rHn`(`]HHRB0`

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	198.35.26.112	443	192.168.2.16	49722	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:04 UTC	47	IN	HTTP/1.1 200 OK date: Mon, 06 Nov 2023 14:41:15 GMT content-type: image/png content-length: 23997 content-disposition: inline;filename=UTF-8''Microsoft_365_logo.png etag: f720ad0a8aa79b2ebbd49b4e93872921 last-modified: Sun, 24 Sep 2023 20:24:43 GMT server: ATS/9.1.4 age: 2568 x-cache: cp4051 miss, cp4051 hit/4203 x-cache-status: hit-front server-timing: cache;desc="hit-front", host;desc="cp4051" strict-transport-security: max-age=106384710; includeSubDomains; preload report-to: { "group": "wm_nel", "max_age": 604800, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] } nel: { "report_to": "wm_nel", "max_age": 604800, "failure_fraction": 0.05, "success_fraction": 0.0} x-client-ip: 156.146.49.168 x-content-type-options: nosniff access-control-allow-origin: access-control-expose-headers: Age, Date, Content-Length, Content-Range, X-Content-Duration, X-Cache timing-allow-origin: * accept-ranges: bytes connection: close
2023-11-06 15:24:04 UTC	48	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 04 b0 00 00 00 c6 08 06 00 00 00 c2 15 79 00 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 20 63 48 52 4d 00 00 7a 26 00 00 80 84 00 00 fa 00 00 00 80 e8 00 00 75 30 00 00 ea 60 00 00 3a 98 00 00 17 70 9c ba 51 3c 00 00 00 06 62 4b 47 44 00 00 00 00 00 00 f9 43 bb 7f 00 00 00 09 70 48 59 73 00 00 2e 23 00 00 2e 23 01 78 a5 3f 76 00 00 00 07 74 49 4d 45 07 e7 09 18 14 18 2a 1d a7 c6 b8 00 00 5c 87 49 44 41 54 78 da ed dd 77 98 5d 55 d5 c7 f1 ef 4c 7a 2f 90 4e 0d bd f7 26 35 20 20 4d 29 62 45 14 0b 16 d4 f7 95 65 2f 28 76 d1 ad bc 8a 82 0d 05 01 11 a5 89 f4 8e 74 10 42 09 a4 40 42 20 9d f4 5e a6 bc 7f ac 3d 32 84 c9 64 66 ee 3e e7 9e 7b ef ef f3 3c f3 00 9a 9c b9 77 9f b6 f7 da 6b af 0d 22 22 Data Ascii: PNGIHDRygAMAa cHRMz&u0`:pQ<bKGDCpHYs.#.#x?vtIME*\IDATxw]ULz/N&5 M)bEe/(vtB@B ^=2df>{<wk""
2023-11-06 15:24:04 UTC	69	IN	Data Raw: 1b 48 da ba 11 cd 71 10 a9 c0 63 d7 06 b4 e5 58 76 37 9a b4 59 1b ab c9 b7 b8 6e a9 16 65 d0 ee c3 e9 44 00 2b 2e 21 b8 10 5f 0a 5e 6e 7d 81 63 f1 2c 86 2b cc ec 3d 5d cc c6 dd 98 01 89 af bb 26 72 de c1 33 c1 60 25 75 e0 b4 0e 65 60 49 8d 0b 21 ac 0b 21 b4 d4 16 fc 13 d9 64 f2 8f 01 3e 62 66 5d e9 ef 66 d5 3f ba 9b ec 96 a0 75 e5 f9 76 1b b0 24 e1 61 7b 00 a3 2b a0 88 7e 29 ed d6 80 67 64 df 90 c1 75 32 08 d8 b1 75 21 7c 05 b0 44 a4 10 2f 6d 7c 26 ff f5 44 87 3c 3e be a4 3b 6a 1f e0 c0 04 bf 77 01 70 93 82 20 b9 e8 8f 07 b1 52 59 4a 05 6f 73 5c 66 2b c9 6e 69 41 7b fa 90 76 0b e7 b5 94 27 93 ac ab 1a 49 bf 63 52 a7 fb 85 21 84 49 f8 0e 5b 45 a9 e1 d4 1b 5f 2a f3 67 e0 f7 66 76 a4 99 a5 dc b4 68 30 a5 4f 76 ac 7f 1e 2b ed d9 f3 3a 69 b3 55 7b e0 75 b0 44 Data Ascii: HqcXv7YneD+.!_^n}c,+=]&r3`%ue`I!!d>bf]f?uv$a{+~)gdu2u!\|D/m\|&D<>;jwp RYJos\f+niA{v'IcR!I[E_*gfvh0Ov+:iU{uD

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.16	49727	20.12.23.50	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:16 UTC	79	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BBWLTLTxOmoX+Lx&MD=CN9uEAYM HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-06 15:24:16 UTC	79	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 4ca572ce-083b-44b8-8f0c-9972921529ab MS-RequestId: 51e9f7b3-3404-4674-834f-474ec9ef20ad MS-CV: H3xpO+mgEke08gSE.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 06 Nov 2023 15:24:16 GMT Connection: close Content-Length: 24490
2023-11-06 15:24:16 UTC	80	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2023-11-06 15:24:16 UTC	95	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.16	49732	20.12.23.50	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:54 UTC	104	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BBWLTLTxOmoX+Lx&MD=CN9uEAYM HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-06 15:24:55 UTC	104	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: f03be348-a235-4bc2-833a-c9fb73ad5ba4 MS-RequestId: c8967986-fcdb-4c88-a0ff-6accc9e25c91 MS-CV: Ldd2sgBQZU+suhbT.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 06 Nov 2023 15:24:54 GMT Connection: close Content-Length: 25457
2023-11-06 15:24:55 UTC	105	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2023-11-06 15:24:55 UTC	120	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.16	49737	142.251.215.238	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:25:32 UTC	130	OUT	GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000084A5C6CB58 HTTP/1.1 Host: clients1.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	142.251.215.238	443	192.168.2.16	49737	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:25:32 UTC	130	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-Wt-WYmQB3ipRSKOHwIoSFA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Security-Policy: script-src 'report-sample' 'nonce-Y7s5Bu_LjAPPKHQOvWgePA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Type: text/plain; charset=utf-8 Content-Length: 220 Date: Mon, 06 Nov 2023 15:25:32 GMT Expires: Mon, 06 Nov 2023 15:25:32 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-11-06 15:25:32 UTC	131	IN	Data Raw: 72 6c 7a 43 31 3a 20 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 38 33 0a 72 6c 7a 43 32 3a 20 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 38 33 0a 72 6c 7a 43 37 3a 20 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 38 33 0a 64 63 63 3a 20 0a 73 65 74 5f 64 63 63 3a 20 43 31 3a 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 38 33 2c 43 32 3a 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 38 33 2c 43 37 3a 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 38 33 0a 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 2c 43 31 53 2c 43 37 53 0a 73 74 61 74 65 66 75 6c 2d 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 0a 63 72 63 33 32 3a 20 36 30 63 63 30 34 32 32 0a Data Ascii: rlzC1: 1C1ONGR_enUS1083rlzC2: 1C2ONGR_enUS1083rlzC7: 1C7ONGR_enUS1083dcc: set_dcc: C1:1C1ONGR_enUS1083,C2:1C2ONGR_enUS1083,C7:1C7ONGR_enUS1083events: C1I,C2I,C7I,C1S,C7Sstateful-events: C1I,C2I,C7Icrc32: 60cc0422

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.16	49717	192.0.72.26	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:02 UTC	1	OUT	GET /2018/02/publication_spreadsheet_screenshot_blurred.jpg HTTP/1.1 Host: dfshultzblog.files.wordpress.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.16	49718	198.35.26.112	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:02 UTC	1	OUT	GET /wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_365_logo.png HTTP/1.1 Host: upload.wikimedia.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	142.251.33.78	443	192.168.2.16	49715	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:02 UTC	2	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-scTncFfD9SbVe4tqrZ0Qew' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 06 Nov 2023 15:24:02 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6153 X-Daystart: 26642 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-11-06 15:24:02 UTC	3	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 35 33 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 36 36 34 32 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6153" elapsed_seconds="26642"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-11-06 15:24:02 UTC	3	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-11-06 15:24:02 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	142.251.33.109	443	192.168.2.16	49716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:03 UTC	4	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 06 Nov 2023 15:24:02 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: script-src 'report-sample' 'nonce-7IhrhGiW_cHqiP5Cfxbhkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-11-06 15:24:03 UTC	5	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-11-06 15:24:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.0.72.26	443	192.168.2.16	49717	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:03 UTC	5	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 06 Nov 2023 15:24:02 GMT Content-Type: image/jpeg Content-Length: 18036 Connection: close Last-Modified: Sun, 04 Feb 2018 03:55:00 GMT Expires: Thu, 30 Nov 2023 14:59:05 GMT X-Orig-Src: 01_mogdir Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://dfshultzblog.wordpress.com Vary: Origin X-nc: HIT sea 26 np X-Content-Type-Options: nosniff Accept-Ranges: bytes
2023-11-06 15:24:03 UTC	6	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff fe 00 13 43 72 65 61 74 65 64 20 77 69 74 68 20 47 49 4d 50 ff db 00 43 00 06 04 05 05 05 04 06 05 05 05 07 06 06 07 09 0f 0a 09 08 08 09 13 0d 0e 0b 0f 16 13 17 17 16 13 15 15 18 1b 23 1e 18 1a 21 1a 15 15 1e 29 1f 21 24 25 27 28 27 18 1d 2b 2e 2b 26 2e 23 26 27 26 ff db 00 43 01 06 07 07 09 08 09 12 0a 0a 12 26 19 15 19 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 ff c2 00 11 08 01 90 02 80 03 01 11 00 02 11 01 03 11 01 ff c4 00 1b 00 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 01 03 02 04 05 06 07 ff c4 00 1a 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 Data Ascii: JFIFHHCreated with GIMPC#!)!$%'('+.+&.#&'&C&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
2023-11-06 15:24:03 UTC	6	IN	Data Raw: f5 71 e3 ed f2 f9 12 69 14 e3 ae 7d bf 53 cd be f3 0e 4d cf 40 00 85 00 00 01 0a 08 78 fa 4c f5 9e e5 e6 ce 6b bc de 6c ee 5e 2c a0 87 52 ac ca bb 8a bc d9 a6 6f 16 02 93 b9 73 d4 ea 0b 13 b9 78 b3 3d 4d 73 61 d4 bc d9 4e 28 90 1d 1d e6 96 59 d4 b9 6a 44 b9 df 27 72 e5 a9 4e a2 c9 dc bc d9 c9 4e b4 27 72 e5 a9 63 e9 71 d8 10 a0 00 00 04 28 21 e7 ae 0f 41 d0 20 28 07 07 91 61 ea 38 32 3d 49 d8 00 c8 c8 ec e0 1a 19 14 e4 dc ec f3 94 86 86 a0 a0 02 14 00 66 62 72 7a 4e c8 50 01 0a 00 06 92 8a 40 00 05 00 10 a4 21 9a 74 bd 82 9c 94 a0 18 4d 7c fc f7 92 f6 41 67 d0 d7 9f 6b 00 87 24 29 01 4e 4a 43 b0 72 52 1d 14 14 02 02 80 0e 08 43 42 90 14 02 02 80 73 1e 2a a9 ed 58 78 ca 9b 2f 94 dd 3d 4a 00 87 26 07 21 0b d9 c9 e9 21 4a 01 e7 9b f9 78 f4 62 68 70 68 9f 5b Data Ascii: qi}SM@xLkl^,Rosx=MsaN(YjD'rNN'rcq(!A (a82=IfbrzNP@!tM\|Agk$)NJCrRCBs*Xx/=J&!!Jxbhph[
2023-11-06 15:24:03 UTC	8	IN	Data Raw: 07 25 00 00 00 00 a0 10 14 00 72 52 80 40 50 08 0a 01 01 40 21 0e 80 04 05 00 80 a0 10 f3 fc 9f 48 13 a4 cf e8 70 ef 53 62 14 d0 cc 1d a6 ab 0c 4e 13 a3 b5 00 63 37 84 df 71 d2 8e ae 76 d7 20 00 00 01 0a 00 21 40 00 00 00 00 00 00 04 28 00 85 00 00 00 06 3f 2f d2 04 de 78 f7 f1 eb 53 d0 9b 28 00 08 0c 0e 4a 9d a8 03 09 bf 36 77 a2 e8 0b 73 b6 b9 50 00 00 02 14 00 42 80 08 50 00 00 00 42 80 08 50 01 0a 00 00 00 0f 07 e7 fd d4 17 ae 1f 63 cb a6 f3 ec 5a 01 d0 04 07 9c e0 d5 34 50 04 28 00 e6 5e 1a 01 16 bb b8 a0 02 14 00 42 80 08 50 00 00 00 42 80 08 50 01 0a 00 00 00 0f 1e 2f b4 a7 07 87 53 aa d8 c2 38 ae cf 61 a8 21 0f 39 c9 d2 74 a0 08 50 01 84 df ca c7 7e 96 03 b4 fa 5b f3 6d 60 02 14 00 42 80 08 50 00 00 00 42 80 08 50 01 0a 00 21 40 00 d7 9d a0 e2 bc Data Ascii: %rR@P@!HpSbNc7qv !@(?/xS(J6wsPBPBPcZ4P(^BPBP/S8a!9tP~[m`BPBP!@
2023-11-06 15:24:03 UTC	9	IN	Data Raw: f2 b8 67 eb 72 9b 8b 32 9b 18 fb 21 0f e5 f9 1e 07 d5 64 7d 56 42 fe 43 3e a3 23 c7 e6 6d e3 99 8f b3 52 0d 0f f3 4c 55 34 34 1f a3 17 4d 48 43 f9 7e 57 e3 3e b5 8b f9 6d 9f 52 cf aa 67 83 ce f2 6b 31 3a 42 0c d8 c7 d9 a9 0c ff 00 1c b3 b5 23 b5 0b c8 be 79 e7 a8 bc c8 ed 42 c9 31 a4 63 11 b1 4d 91 e7 c1 66 7d 2e 22 fe 2a 3e 99 1f 4c 8f a6 47 d2 62 7d 26 27 d2 a4 7d 32 17 f1 d1 8e 38 a3 5c 49 89 ae 26 a8 f4 44 28 8b c7 f2 3c 4b 33 e9 71 3e 93 13 e9 91 f4 c8 c3 c0 90 96 22 68 bc 31 a4 6a 85 11 b1 47 05 0d 91 b2 29 ff 00 d1 22 17 3f c6 7e d6 48 5e 44 76 9d a2 f2 d3 d3 14 36 36 43 f6 b9 cb f1 9f 85 b6 bc 39 18 f8 9d c7 f1 f1 f3 61 b0 bc 0c e9 c8 f1 e0 f1 32 4c 49 91 91 91 9a b3 56 24 34 46 46 3c 59 8e 2c 69 91 9a b3 56 47 35 66 ac 8e 3c 58 93 26 46 14 a6 7e Data Ascii: gr2!d}VBC>#mRLU44MHC~W>mRgk1:B#yB1cMf}."*>LGb}&'}28\I&D(<K3q>"h1jG)"?~H^Dv66C9a2LIV$4FF<Y,iVG5f<X&F~
2023-11-06 15:24:03 UTC	10	IN	Data Raw: 94 a5 29 4a 52 94 a5 29 4a 5f 86 43 6a ec 8a 9b 58 23 ad 1a 9d 68 eb 46 8b 87 f7 5a a7 5a 16 06 a6 a6 a2 fd 7f 61 d8 76 1b 9e 88 8d 52 17 90 ec 16 43 cc ec 16 57 87 ca 44 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 1d 67 59 d6 68 7a 3d 0b d9 d6 75 8b 11 f8 ce b3 1c 27 0f 94 ca 52 94 cb 38 77 0b ca 76 1d 82 cc a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 4e c3 b0 ec 37 a6 a6 a6 2a 7d 86 42 09 10 84 21 9e 14 e8 17 8a 1d 67 58 b0 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 84 21 08 42 1a b3 56 6a c8 c4 62 53 64 5f 8b 1f 18 94 a5 29 4a 52 94 79 1d 88 ec 47 62 3b 11 ba 16 45 29 4a 52 94 a5 29 4a 52 Data Ascii: )JR)J_CjX#hFZZavRCWD!B!B!B!B!B!B!B!BgYhz=u'R8wv)JR)JR)JR)JR)JR)JR)N7*}B!gX!B!B!B!B!B!B!BVjbSd_)JRyGb;E)JR)JR
2023-11-06 15:24:03 UTC	12	IN	Data Raw: 35 0d 42 e5 c7 98 ff 00 b0 64 92 49 27 d2 e0 a1 42 85 0a fa 5e 24 a2 51 2b f8 63 f4 b9 24 92 49 ff 00 10 7f ff c4 00 26 11 00 02 01 02 05 04 03 01 01 00 00 00 00 00 00 00 00 11 01 02 14 03 12 13 21 40 04 10 31 50 20 30 60 70 80 ff da 00 08 01 02 01 01 3f 01 ff 00 7b 31 c0 e0 70 38 33 40 e0 70 38 1c 0f eb 63 81 c0 e0 cc 3f 6d 8f 89 34 93 d4 d4 5d 54 5d d4 5d d4 47 55 51 73 51 73 51 3d 55 45 dd 45 1d 55 53 26 15 4e 3e ac 7c 49 a4 b9 a8 b9 a8 ba a8 bb a8 c0 ea 26 a9 29 f1 f7 d5 26 63 31 9c ce 45 43 18 c6 3f 8d 5e 38 f8 b8 59 8b 42 cc b2 82 ca 0b 32 d0 b4 2c cb 28 29 e9 22 0a 29 51 f5 62 e1 66 2d 0b 42 ce 0b 28 30 fa 6c b2 47 df 5f c6 aa f2 97 12 5c 49 73 25 cc 94 63 cc c9 4c b8 f8 4c 3e 42 ec 84 21 76 42 17 d8 bb 21 0b 81 55 26 53 29 90 c9 26 26 1c c9 a1 26 Data Ascii: 5BdI'B^$Q+c$I&!@1P 0`p?{1p83@p8c?m4]T]]GUQsQsQ=UEEUS&N>\|I&)&c1EC?^8YB2,()")Qbf-B(0lG_\Is%cLL>B!vB!U&S)&&&
2023-11-06 15:24:03 UTC	13	IN	Data Raw: b4 ca ac 51 0f 66 b0 93 91 94 6e 49 5e 9c a0 cd 0a 5e 9b 31 61 2f 62 47 a7 02 9c 95 14 a3 e9 05 b9 22 2f a1 d8 43 44 56 3a 10 85 a4 8c 42 9e c5 dc fd 88 f6 17 31 2e 08 fa 76 13 b2 5b 05 e2 62 5e c5 ee 89 37 1a a2 23 fb 0b 32 38 f0 49 c9 9f 91 c3 93 bc ec 17 d0 78 ff 00 a2 fb 1d c7 a8 c4 5f 24 82 fb 1d 83 bf 27 d8 76 99 79 1f b0 7d 24 dc 8e dc 88 8f 2c 58 18 b0 5b 87 a5 7f 61 34 e4 ee 33 f2 76 97 c9 90 22 0d 60 c4 16 58 fe 87 68 90 7d c7 68 be a7 79 49 65 8c f4 4b e4 2d e8 ea 1b 18 b4 6a f3 ad 09 79 3e a3 ea 3b 8b 4b 2c 82 08 18 a8 a8 a8 82 08 20 82 08 2a 2a 19 41 dd c0 8f 10 c7 36 aa a5 a0 53 d1 7a e9 bb 08 d8 e6 31 19 75 d4 6e 46 61 c4 5a 6a 96 9d 12 17 a2 bd 3d 03 b6 f2 a6 55 c6 4f 42 70 ca 3f 27 0e 06 f7 82 be 08 fe 1f 81 9c e0 6f 82 fc 9d 1a 2a c3 90 Data Ascii: QfnI^^1a/bG"/CDV:B1.v[b^7#28Ix_$'vy}$,X[a43v"`Xh}hyIeK-jy>;K, *A6Sz1unFaZj=UOBp?'o
2023-11-06 15:24:03 UTC	15	IN	Data Raw: ff 00 eb cf ff 00 fd ed fb 2b f9 3f ff 00 fd f8 7f 0e 49 42 08 96 13 a2 08 a3 d8 1c 46 91 82 5b ff 00 e8 51 45 58 b6 7b 2b cf ff 00 fd ed fb 2b 6f d7 9f ff 00 fb 2b c1 f0 c2 1b b4 8f be 1d c0 62 37 1e d3 43 c5 14 35 31 6d fa f3 ff 00 ff 00 7b 7e ca db f5 e7 ff 00 fe ca db f4 fa d4 0c 9c 88 ef 23 60 6a b4 24 bb 38 14 46 34 24 92 49 20 82 08 20 42 3b 36 99 21 92 49 24 92 49 24 92 49 24 92 48 d4 92 49 24 6a 25 24 92 49 12 92 49 24 92 49 24 92 49 24 92 48 d4 92 49 24 92 fc 89 21 06 01 e8 9f b0 bc 02 45 28 e3 92 eb c4 74 81 19 19 19 19 19 19 19 19 19 19 61 cb 91 f4 19 b9 17 d8 4d 79 29 88 c8 c8 c8 c8 c8 c8 c8 c8 c8 c8 c8 c8 c8 c6 99 19 19 19 18 d3 12 64 64 64 64 62 4c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 8c 69 91 91 91 91 91 94 41 22 60 fd 03 a0 73 1a bd 1f Data Ascii: +?IBF[QEX{++o+b7C51m{~#`j$8F4$I B;6!I$I$I$HI$j%$II$I$I$HI$!E(taMy)ddddbLiA"`s
2023-11-06 15:24:03 UTC	28	IN	Data Raw: b7 ba 48 24 92 01 24 0d b6 5c 92 c4 93 22 49 04 92 09 20 23 c1 28 92 48 00 0c 00 00 00 13 52 98 00 04 92 00 00 c8 40 98 01 88 f7 86 db 00 02 40 04 39 45 2c 82 48 20 8e 49 24 92 6d fb 56 48 17 ed b9 24 e6 d3 a4 90 4e df 6a 12 64 90 09 21 92 00 60 92 48 00 0c 00 00 00 40 00 90 01 12 e4 80 00 80 01 03 6e 00 00 2f 00 e0 02 40 01 80 59 24 10 49 24 dc 00 00 00 08 00 90 01 00 00 00 00 10 00 95 b7 40 00 00 00 20 02 40 04 8b 19 4c 02 49 20 4c 00 00 00 08 00 80 01 00 00 00 00 10 01 8a 49 e0 00 00 00 20 00 40 04 b6 04 0c 80 49 04 7e 49 00 92 65 fb de 48 24 92 01 24 82 49 1f fd b9 20 12 49 04 92 09 20 f7 43 68 80 48 12 9c 00 04 00 4f 38 4e 01 00 00 08 00 10 00 20 02 00 04 80 00 20 00 40 04 59 02 4c 02 c9 04 8e 49 24 92 42 49 32 49 24 92 49 24 92 48 04 90 49 24 92 49 Data Ascii: H$$\"I #(HR@@9E,H I$mVH$Njd!`H@n/@Y$I$@ @LI LI @I~IeH$$I I ChHO8N @YLI$BI2I$I$HI$I
2023-11-06 15:24:03 UTC	30	IN	Data Raw: 13 97 5f 98 96 8e 27 3f 3b 7a 41 05 a1 17 44 10 41 04 7a 10 54 54 3e c7 3e bf 31 32 94 a8 7d 8e 7d 34 10 b4 2e 46 d8 a5 45 45 58 42 10 84 f1 d1 45 0d 68 6e f5 e1 8d 94 50 dd 8d dd 2d e1 4a 51 3d 2d 78 c1 02 ca 28 ac 10 49 24 89 4b c4 b9 f4 ed 69 04 ba b1 c6 8a 28 a7 89 7b 66 e1 59 b9 b9 b8 db 1a f7 17 ae 43 73 73 73 71 d1 5f 56 8a 28 6a 43 db af 41 1a c2 87 23 53 ab 08 42 10 9d 59 27 02 5a 1e be bb c6 24 20 82 44 0d 5f af a2 8a 2b b3 4a 56 52 ff 00 65 d9 65 96 59 65 96 37 fc 3f 31 14 22 20 81 a8 c0 b1 49 23 9f 62 32 8a 28 8f d5 27 04 c5 14 59 45 14 58 d9 8f 7e ba d6 25 20 82 04 c1 37 f5 f0 84 27 61 a1 65 94 50 dd 8d df 5f 04 10 2d 21 23 fc 7f ba 1a be 95 f4 84 d0 fd a5 96 59 34 24 7d 29 e9 8b 0f db 80 96 87 af ae 95 28 b2 cb 1b 21 a9 eb ec a2 8a ec 73 12 Data Ascii: _'?;zADAzTT>>12}}4.FEEXBEhnP-JQ=-x(I$Ki({fYCsssq_V(jCA#SBY'Z$ D_+JVReeYe7?1" I#b2('YEX~% 7'aeP_-!#Y4$})(!s
2023-11-06 15:24:03 UTC	31	IN	Data Raw: 58 be d3 a3 1e d1 34 d0 c6 a1 58 ec a5 0b 88 f0 33 89 70 cc 91 1d 1d c4 72 e4 ba 42 5c 92 a1 8b 01 08 0d da a1 74 40 b9 21 da 20 1c 07 a8 84 21 08 42 10 84 21 08 42 10 84 21 08 42 10 82 18 d0 92 24 21 63 42 4e c1 09 4f 84 8a a0 a4 8d 08 48 8b c8 5c 58 8b 24 5d d8 21 30 21 23 1b 76 09 1e 04 a7 60 b4 88 62 b9 a1 4b 10 f2 26 4c 80 21 3c c4 a8 9a 19 16 4b d7 70 44 4f 44 a4 63 fa 90 8a 91 3a 42 44 a0 b3 a7 81 5c c5 91 22 18 2d 45 73 42 dc 21 0b 1a 38 14 51 41 b6 a1 5a 43 5a 86 00 11 8c 3c a9 09 54 10 89 21 4a 52 94 a5 29 4a 52 94 a5 29 4a 52 94 a5 29 7f e0 d4 55 15 44 34 09 fe 7f ce 08 82 1b 44 93 6f d6 0b 67 d6 89 fd 82 21 7d 48 ad 9f 13 40 fb d1 b9 1b 11 b9 1b 90 9f fe 10 44 2f f2 22 08 ad bf 35 59 59 58 cc 67 0a ca ca c4 65 0e de 45 65 65 65 74 62 43 c1 8a Data Ascii: X4X3prB\t@! !B!B!B$!cBNOH\X$]!0!#v`bK&L!<KpDODc:BD\"-EsB!8QAZCZ<T!JR)JR)JR)UD4Dog!}H@D/"5YYXgeEeeetbC
2023-11-06 15:24:03 UTC	32	IN	Data Raw: b6 27 48 be cb ec be cc 31 8d bc af 84 a1 c7 c2 83 b0 49 88 be cb ec be c6 f3 91 35 2f b2 fb 2f b2 fb 1b de 44 fd 97 d9 7d 97 d8 df b1 77 17 d9 7d 97 d9 da 1b d9 7d 97 d9 7d 8d e7 23 7b 2f b2 fb 2f b2 fb 2e f2 5f 65 f6 5f 65 f6 37 bc 89 fb 2f b2 fb 2f b1 bd 89 fb 2f b2 fb 2f b1 8d 43 50 d4 35 07 1e b2 2a f9 41 cf 86 36 89 1c 33 0b 91 62 47 f0 0d 28 d9 93 21 82 33 e2 63 0f 22 36 b2 46 46 46 46 55 28 8c 8c 8c c7 92 5e 4d 86 c3 61 6f 26 68 8c 8c 8c 69 89 a9 19 19 19 19 54 a2 32 32 31 82 4c 8c 8c 8c 46 23 23 23 23 1b 41 19 19 19 19 45 52 32 32 32 31 b5 12 64 64 64 63 06 11 91 91 8d a0 d5 15 8a ed 66 d2 8c b3 88 c3 68 1a 96 87 20 85 51 8c 22 10 83 46 c4 96 46 47 05 71 3e c8 01 93 ea 01 0f 68 73 55 19 e6 6c 36 0d 6b 58 d2 5f a0 0c 17 d4 00 c9 f6 00 0b e8 aa fe Data Ascii: 'H1I5//D}w}}}#{//._e_e7////CP5*A63bG(!3c"6FFFFU(^Mao&hiT221LF####AER2221dddcfh Q"FFGq>hsUl6kX_
2023-11-06 15:24:03 UTC	34	IN	Data Raw: 46 47 48 c8 c8 c8 c6 98 93 23 23 23 20 d0 71 89 93 0d 31 9d 79 2e c3 57 92 87 5c e4 d9 8c 1a 19 b2 d0 c5 01 34 0a 7c a8 47 cc 27 a8 51 6a 86 3b 31 d9 8e c4 b6 2c 10 b1 0b 90 f7 27 a4 f4 9e 93 d2 65 3d 27 a4 f4 9e 91 3e 84 bb a2 76 27 62 76 1f 61 a6 7a 4f 49 e9 1e 91 57 c1 e9 3d 27 a4 f4 99 7c 1e 93 d2 7a 4f 49 a2 2d 27 a4 f4 9e 93 44 d1 3d 27 a4 f4 8f 48 ab e0 f4 9e 93 d2 7a 4c be 0f 49 e9 3d 27 a4 75 f0 2d 27 a4 f4 9e 91 34 70 6f 56 90 9f 09 1a d1 ad 11 f0 8c dc 0d 61 ed 48 32 b8 3d af 82 b1 48 23 26 17 50 44 c8 70 e1 8e 92 31 69 46 42 66 01 19 c0 96 f0 35 70 5f 65 f6 5f 65 f6 5d e4 be cb ec be cb ec 7e 69 8d ab 22 8c d3 73 37 31 c7 cb 18 e4 5f 65 f6 5f 63 7e c4 f7 92 fb 2f b2 fb 2f b2 ef 25 f6 5f 65 f6 5f 63 7e c4 fd 97 d9 7d 97 d8 de c6 f6 5f 65 f6 5f Data Ascii: FGH### q1y.W\4\|G'Qj;1,'e='>v'bvazOIW='\|zOI-'D='HzLI='u-'4poVaH2=H#&PDp1iFBf5p_e_e]~i"s71_e_c~//%_e_c~}_e_
2023-11-06 15:24:03 UTC	35	IN	Data Raw: b2 42 c8 db 0b 98 38 ed 51 d0 5c 70 7f 0f e1 fc 2e 47 e0 3c 86 4e 7e 3f c3 f8 7f 0f e1 e7 81 1f c3 f8 7f 06 75 07 9a 34 23 55 b3 00 df 11 a5 54 80 cf e1 fc 3f 83 e0 e4 7f 0f e1 fc 3f 85 c9 fc 3f 87 f0 fe 0f 91 70 7f 0f e1 fc f9 3f 87 f0 fe 0f 81 b2 7f 0f e1 fc 3f 87 93 f8 7f 0f e1 fc 1f 22 3f 87 f0 fe 1e 87 a1 fc 3f 87 f0 66 2c 18 30 73 c3 3a 31 62 db 11 29 b2 9e 04 92 f0 60 c1 83 06 06 f0 f8 a5 fc 70 60 c1 83 14 50 c1 83 05 14 90 e3 31 a4 63 83 15 b8 62 a8 da 63 10 86 0c 18 1c 87 23 06 0c 18 31 4c 18 30 60 72 8a 43 06 0c 10 41 83 06 07 21 14 c1 83 06 0f 26 0c 18 30 3e 45 0c 18 30 41 06 0c 18 1c 19 4f 33 06 0e 58 32 34 44 56 10 ea 26 9c 1a ad e4 c1 83 06 0c 18 1b c0 72 48 b6 6e 60 c1 83 06 28 a1 83 06 0e 60 5d 48 d4 86 df 03 48 8e 52 42 a4 a2 30 60 c0 e4 Data Ascii: B8Q\p.G<N~?u4#UT???p??"??f,0s:1b)`p`P1cbc#1L0`rCA!&0>E0AO3X24DV&rHn`(`]HHRB0`

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	198.35.26.112	443	192.168.2.16	49718	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:03 UTC	16	IN	HTTP/1.1 200 OK date: Mon, 06 Nov 2023 14:42:06 GMT content-type: image/webp content-length: 11832 content-disposition: inline;filename=UTF-8''Microsoft_365_logo.png.webp last-modified: Tue, 31 Oct 2023 23:03:57 GMT etag: 094a88c4bf3ccd448a7f621913ea67c1 server: ATS/9.1.4 age: 2516 x-cache: cp4051 hit, cp4051 hit/3013 x-cache-status: hit-front server-timing: cache;desc="hit-front", host;desc="cp4051" strict-transport-security: max-age=106384710; includeSubDomains; preload report-to: { "group": "wm_nel", "max_age": 604800, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] } nel: { "report_to": "wm_nel", "max_age": 604800, "failure_fraction": 0.05, "success_fraction": 0.0} x-client-ip: 156.146.49.168 x-content-type-options: nosniff access-control-allow-origin: access-control-expose-headers: Age, Date, Content-Length, Content-Range, X-Content-Duration, X-Cache timing-allow-origin: * accept-ranges: bytes connection: close
2023-11-06 15:24:03 UTC	17	IN	Data Raw: 52 49 46 46 30 2e 00 00 57 45 42 50 56 50 38 4c 23 2e 00 00 2f af 44 31 10 35 8b e3 b6 91 1c 89 ca 3f ec b1 7b f6 1b 11 13 e0 37 ae d0 74 d1 59 35 69 a4 29 75 42 11 3b 17 1b 37 5a ca 95 6a d2 b6 b6 55 44 23 ca c5 34 85 46 8b c3 99 4e 8f cc a0 22 29 1b 2a eb 89 27 1c 78 86 46 85 6b a6 55 d0 31 2a 3a 3e 6a aa ed 33 b5 e5 81 7f 14 56 40 49 92 1a 8b 25 b2 4c 54 f9 9b bf c7 7d 34 8a 50 84 45 a4 e2 2d 5e a2 23 e2 6e 0f 71 21 10 20 ee 54 a8 f3 e2 4b 48 40 bc 23 78 6f 11 dc 00 00 08 36 b1 6d 27 53 36 3b 93 6d db e6 64 b6 87 74 b2 f9 4e c7 76 b2 cd 09 f0 7f fe ff bf 29 fe ff ed ff 7c fb ff 7f da 99 e3 7e bd df ee f7 a3 39 5a af 2f 57 19 49 d6 58 23 c9 3a 24 c9 58 23 59 eb 2e 63 65 3c 8c 95 e4 90 b1 32 d6 48 92 b1 92 24 23 2b 19 49 92 1c 32 92 ac b1 92 1c 56 b2 92 Data Ascii: RIFF0.WEBPVP8L#./D15?{7tY5i)uB;7ZjUD#4FN")'xFkU1:>j3V@I%LT}4PE-^#nq! TKH@#xo6m'S6;mdtNv)\|~9Z/WIX#:$X#Y.ce<2H$#+I2V

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.16	49723	192.0.72.26	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:03 UTC	36	OUT	GET /2018/02/publication_spreadsheet_screenshot_blurred.jpg HTTP/1.1 Host: dfshultzblog.files.wordpress.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.16	49722	198.35.26.112	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:24:03 UTC	36	OUT	GET /wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_365_logo.png HTTP/1.1 Host: upload.wikimedia.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Statistics

CPU Usage

• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	16:24:00
Start date:	06/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Remittance Advice B9623.HTML
Imagebase:	0x7ff71e7f0000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	16:24:00
Start date:	06/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=2072,i,13270799758387245985,6612383874584642118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff71e7f0000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Source: Yara match	File source: Remittance Advice B9623.HTML, type: SAMPLE
Source: Yara match	File source: 0.0.pages.csv, type: HTML

Source: Remittance Advice B9623.HTML	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML	HTTP Parser: Number of links: 0

Source: Remittance Advice B9623.HTML	HTTP Parser: Title: Login Page does not match URL
Source: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML	HTTP Parser: Title: Login Page does not match URL

Source: Remittance Advice B9623.HTML	HTTP Parser: Form action: https://mx.azizrajelvivaaxraf.shop/app/8b1fbe0.php
Source: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML	HTTP Parser: Form action: https://mx.azizrajelvivaaxraf.shop/app/8b1fbe0.php

Source: Remittance Advice B9623.HTML	HTTP Parser: <input type="password" .../> found
Source: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML	HTTP Parser: <input type="password" .../> found

Source: Remittance Advice B9623.HTML	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML	HTTP Parser: No <meta name="author".. found

Source: Remittance Advice B9623.HTML	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML	HTTP Parser: No favicon

Source: Remittance Advice B9623.HTML	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/Remittance%20Advice%20B9623.HTML	HTTP Parser: No <meta name="copyright".. found

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 198.35.26.112 198.35.26.112

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Remittance Advice B9623.HTML	String found in binary or memory: https://dfshultzblog.files.wordpress.com/2018/02/publication_spreadsheet_screenshot_blurred.jpg
Source: Remittance Advice B9623.HTML	String found in binary or memory: https://mx.azizrajelvivaaxraf.shop/app/8b1fbe0.php
Source: Remittance Advice B9623.HTML	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_36

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Remittance Advice B9623.HTML

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Chrome Cache Entry: 70

Chrome Cache Entry: 71

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Connections

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Remittance Advice B9623.HTML