Create Interactive Tour

Windows Analysis Report
https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5

Overview

General Information

Sample URL:	https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBM
Analysis ID:	1342230
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates files inside the system directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6116 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7036 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2580 --field-trial-handle=2540,i,14340149038064431546,5564073637357537251,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5916 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

mspaint.exe (PID: 6620 cmdline: mspaint.exe "C:\Users\user\Desktop\" MD5: 986A191E95952C9E3FE6BE112FB92026)

cleanup

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=nNadqW9uTcY0OP6I3afnr71o6EzaYLsdpW4UEYN3vYq_rbRrNFxM1jozPGuhjORBZKKMz2tdDpVe7dNuTWp4CyK-zt5Is6wVElveWAfKQgwNJiKKtXHCCCmrlgzZTl5CiKjTeA2iQqf6zlRK2h8wg1hVpIsWsaKqaWJyHMPF3JA

Source: unknown	HTTPS traffic detected: 173.222.228.121:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.228.121:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49722 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_6116_961294957

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean0.win@18/4@8/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2580 --field-trial-handle=2540,i,14340149038064431546,5564073637357537251,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639
Source: unknown	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe "C:\Users\user\Desktop\"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2580 --field-trial-handle=2540,i,14340149038064431546,5564073637357537251,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\74c3e23c-8f4f-4a91-8bc2-4a81b270d9df.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	11 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
landing.eu.knowbe4.com	54.77.60.91	true	false	high
accounts.google.com	142.250.217.77	true	false	high
www.google.com	142.251.215.228	true	false	high
clients.l.google.com	142.251.215.238	true	false	high
clients2.google.com	unknown	unknown	false	high
ftps.phishing.guru	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639	false	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.134&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.215.228	www.google.com	United States	15169	GOOGLEUS	false
142.251.215.238	clients.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.217.77	accounts.google.com	United States	15169	GOOGLEUS	false
54.77.60.91	landing.eu.knowbe4.com	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.7

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1342230
Start date and time:	2023-11-14 11:16:36 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@18/4@8/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.217.67, 34.104.35.123, 69.164.40.8, 192.229.211.108, 23.32.75.16, 8.240.115.126, 142.251.211.227
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	2.7374910194847146
Encrypted:	false
SSDEEP:	3:CUnl/7yltxlHh/:/+/
MD5:	07FFF40B5DD495ACA2AC4E1C3FBC60AA
SHA1:	E8AC224BA9EE97E87670ED6F3A2F0128B7AF9FE4
SHA-256:	A065920DF8CC4016D67C3A464BE90099C9D28FFE7C9E6EE3A18F257EFC58CBD7
SHA-512:	49B8DAF1F5BA868BC8C6B224C787A75025CA36513EF8633D1D8F34E48EE0B578F466FCC104A7BED553404DDC5F9FAFF3FEF5F894B31CD57F32245E550FAD656A
Malicious:	false
Reputation:	low
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\Downloads\74c3e23c-8f4f-4a91-8bc2-4a81b270d9df.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	2.7374910194847146
Encrypted:	false
SSDEEP:	3:CUnl/7yltxlHh/:/+/
MD5:	07FFF40B5DD495ACA2AC4E1C3FBC60AA
SHA1:	E8AC224BA9EE97E87670ED6F3A2F0128B7AF9FE4
SHA-256:	A065920DF8CC4016D67C3A464BE90099C9D28FFE7C9E6EE3A18F257EFC58CBD7
SHA-512:	49B8DAF1F5BA868BC8C6B224C787A75025CA36513EF8633D1D8F34E48EE0B578F466FCC104A7BED553404DDC5F9FAFF3FEF5F894B31CD57F32245E550FAD656A
Malicious:	false
Reputation:	low
Preview:	GIF89a.............!.......,...........D..;

C:\Windows\debug\WIA\wiatrace.log

Download File

Process:	C:\Windows\SysWOW64\mspaint.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1526
Entropy (8bit):	5.289898015181619
Encrypted:	false
SSDEEP:	24:0uARWF02k9YXC5F0qIF0HXd/bXE34LXd/TzJgNYxeesIF0HXd/bXE34LXd/TzJg+:0uwWSmXqSnS3RzE34jRTzc0VS3RzE34l
MD5:	405C6198266A8B014C974ECE59C1CCAD
SHA1:	490941A7A142956F4EAE8811EF05F53D3F90CD1F
SHA-256:	A2A81F9B84D0724961CB118364144A741692ACFF8398C748E84CCB0847D0E682
SHA-512:	7D6AF357946BBCAFC4C18C8800189C8A9BFC1B69AF13A6D82292CF0551AB7155DE7E80B6BB3C301FF3D046E53A2EA84F0F1571C103350DFEEA6A4DA3A159FDA7
Malicious:	false
Reputation:	low
Preview:	..************** Started trace for Module: [sti.dll] in Executable [mspaint.exe] ProcessID: [6620] at 2023/11/14 12:29:58:470 *************..WIA: 6620.5992 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, AsyncRPC Connection established to server..WIA: 6620.5992 32 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, Got my context 031A4580 from server...WIA: 6620.5992 32 0 0 [sti.dll] WiaEventReceiver::Start, WiaEventReceiver Started.....WIA: 6620.5992 32 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information...WIA: 6620.5992 32 0 0 [sti.dll] WiaEventReceiver::SendRegisterUnregisterInfo, Added new registration:..WIA: 6620.5992 32 0 0 [sti.dll] EventRegistrationInfo::Dump, dwFlags: 0x00000000, guidEvent: {A28BBADE-64B6-11D2-A231-00C04FA31809}, bstrDeviceID: , callback: 0x04E27E40..WIA: 6620.5992 32 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information.

Chrome Cache Entry: 49

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	2.7374910194847146
Encrypted:	false
SSDEEP:	3:CUnl/7yltxlHh/:/+/
MD5:	07FFF40B5DD495ACA2AC4E1C3FBC60AA
SHA1:	E8AC224BA9EE97E87670ED6F3A2F0128B7AF9FE4
SHA-256:	A065920DF8CC4016D67C3A464BE90099C9D28FFE7C9E6EE3A18F257EFC58CBD7
SHA-512:	49B8DAF1F5BA868BC8C6B224C787A75025CA36513EF8633D1D8F34E48EE0B578F466FCC104A7BED553404DDC5F9FAFF3FEF5F894B31CD57F32245E550FAD656A
Malicious:	false
Reputation:	low
URL:	https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639
Preview:	GIF89a.............!.......,...........D..;

Total Packets: 137
• 443 (HTTPS)
• 123 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2023 11:17:30.214349031 CET	49671	443	192.168.2.7	204.79.197.203
Nov 14, 2023 11:17:33.401680946 CET	49674	443	192.168.2.7	104.98.116.138
Nov 14, 2023 11:17:33.417249918 CET	49675	443	192.168.2.7	104.98.116.138
Nov 14, 2023 11:17:33.526598930 CET	49672	443	192.168.2.7	104.98.116.138
Nov 14, 2023 11:17:34.230809927 CET	49677	443	192.168.2.7	20.50.201.200
Nov 14, 2023 11:17:34.604727030 CET	49677	443	192.168.2.7	20.50.201.200
Nov 14, 2023 11:17:35.026638031 CET	49671	443	192.168.2.7	204.79.197.203
Nov 14, 2023 11:17:35.354729891 CET	49677	443	192.168.2.7	20.50.201.200
Nov 14, 2023 11:17:36.854726076 CET	49677	443	192.168.2.7	20.50.201.200
Nov 14, 2023 11:17:37.670511007 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:37.670556068 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:37.670618057 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:37.671144962 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:37.671163082 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:37.671217918 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:37.672677040 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:37.672712088 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:37.672879934 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:37.672904968 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.014954090 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.015193939 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:38.015221119 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.016680002 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.016745090 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:38.017843008 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:38.017916918 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.018029928 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:38.018038034 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.020745039 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:38.020948887 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:38.020958900 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:38.021506071 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:38.021570921 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:38.022501945 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:38.022557974 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:38.023334980 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:38.023427010 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:38.023585081 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:38.023591995 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:38.156068087 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:38.156086922 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:38.333827972 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.333894014 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:38.333904982 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.333990097 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.334036112 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:38.335042000 CET	49703	443	192.168.2.7	142.250.217.77
Nov 14, 2023 11:17:38.335062027 CET	443	49703	142.250.217.77	192.168.2.7
Nov 14, 2023 11:17:38.346265078 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:38.346646070 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:38.346700907 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:38.347250938 CET	49704	443	192.168.2.7	142.251.215.238
Nov 14, 2023 11:17:38.347260952 CET	443	49704	142.251.215.238	192.168.2.7
Nov 14, 2023 11:17:39.802815914 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:39.802854061 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:39.802928925 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:39.803338051 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:39.803406000 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:39.803471088 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:39.803579092 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:39.803590059 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:39.803869963 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:39.803905010 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:39.857645988 CET	49677	443	192.168.2.7	20.50.201.200
Nov 14, 2023 11:17:40.736608028 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.740643024 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.755950928 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.755963087 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.756279945 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.756318092 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.757348061 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.757412910 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.757421017 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.757469893 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.757469893 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.757612944 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.757630110 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.757677078 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.763957024 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.764106989 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.765053988 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.765196085 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.765413046 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.765428066 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.808696985 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.808722019 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:40.823846102 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:40.854697943 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:41.202631950 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:41.202678919 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:41.202831030 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:41.203134060 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:41.203147888 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:41.523186922 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:41.523751974 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:41.523776054 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:41.524833918 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:41.524909973 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:41.525435925 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:41.525507927 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:41.525567055 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:41.527190924 CET	49709	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:17:41.527210951 CET	443	49709	54.77.60.91	192.168.2.7
Nov 14, 2023 11:17:41.537782907 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:41.537961960 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:41.590883017 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:41.590909958 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:41.632654905 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:42.403997898 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:42.404067039 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:42.404170990 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:42.413741112 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:42.413778067 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:42.737946987 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:42.738010883 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:42.741280079 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:42.741291046 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:42.741585016 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:42.792606115 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:42.958148956 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.001292944 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.011380911 CET	49674	443	192.168.2.7	104.98.116.138
Nov 14, 2023 11:17:43.026972055 CET	49675	443	192.168.2.7	104.98.116.138
Nov 14, 2023 11:17:43.111500978 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.111658096 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.111728907 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.114064932 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.114125013 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.114161968 CET	49712	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.114181995 CET	443	49712	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.136303902 CET	49672	443	192.168.2.7	104.98.116.138
Nov 14, 2023 11:17:43.244951963 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.244996071 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.245078087 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.249324083 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.249344110 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.558826923 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.558932066 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.560214996 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.560229063 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.560473919 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.561667919 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.609270096 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.864830971 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.864911079 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.865086079 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.904392958 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.904393911 CET	49713	443	192.168.2.7	173.222.228.121
Nov 14, 2023 11:17:43.904433966 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:43.904447079 CET	443	49713	173.222.228.121	192.168.2.7
Nov 14, 2023 11:17:44.564069033 CET	443	49701	104.98.116.138	192.168.2.7
Nov 14, 2023 11:17:44.564162970 CET	49701	443	192.168.2.7	104.98.116.138
Nov 14, 2023 11:17:44.636080027 CET	49671	443	192.168.2.7	204.79.197.203
Nov 14, 2023 11:17:45.823734045 CET	49677	443	192.168.2.7	20.50.201.200
Nov 14, 2023 11:17:51.550141096 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:51.550209045 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:51.550260067 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:51.717086077 CET	49711	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:17:51.717148066 CET	443	49711	142.251.215.228	192.168.2.7
Nov 14, 2023 11:17:53.552937984 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:53.553020000 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:53.553106070 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:53.555525064 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:53.555561066 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:54.433890104 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:54.434076071 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:54.437624931 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:54.437650919 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:54.441597939 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:54.480947018 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:55.132278919 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:55.177299023 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.704534054 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.704576015 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.704586029 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.704596996 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.704628944 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.704735041 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:55.704772949 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.704794884 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:55.704824924 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:55.705790043 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.705876112 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:55.705885887 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:55.705920935 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:56.142458916 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:56.142486095 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:56.142504930 CET	49715	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:17:56.142512083 CET	443	49715	40.127.169.103	192.168.2.7
Nov 14, 2023 11:17:57.729907990 CET	49677	443	192.168.2.7	20.50.201.200
Nov 14, 2023 11:18:25.809561968 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:18:25.809603930 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:18:33.892648935 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:33.892678976 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:33.892776012 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:33.893366098 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:33.893381119 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:34.760445118 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:34.760648966 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:34.765307903 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:34.765321970 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:34.765714884 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:34.808398962 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:35.260950089 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:35.305273056 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.424535036 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:18:35.424751043 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:18:35.424835920 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:18:35.717684031 CET	49708	443	192.168.2.7	54.77.60.91
Nov 14, 2023 11:18:35.717714071 CET	443	49708	54.77.60.91	192.168.2.7
Nov 14, 2023 11:18:35.829632044 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.829691887 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.829714060 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.829754114 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.829792023 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.829900980 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:35.829924107 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.829950094 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.829973936 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:35.829973936 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:35.829991102 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.830018044 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.830032110 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:35.830061913 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:35.830216885 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:35.830282927 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:36.193926096 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:36.193954945 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:36.193972111 CET	49722	443	192.168.2.7	40.127.169.103
Nov 14, 2023 11:18:36.193979979 CET	443	49722	40.127.169.103	192.168.2.7
Nov 14, 2023 11:18:41.108655930 CET	49726	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:18:41.108740091 CET	443	49726	142.251.215.228	192.168.2.7
Nov 14, 2023 11:18:41.108849049 CET	49726	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:18:41.109263897 CET	49726	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:18:41.109286070 CET	443	49726	142.251.215.228	192.168.2.7
Nov 14, 2023 11:18:41.427242994 CET	443	49726	142.251.215.228	192.168.2.7
Nov 14, 2023 11:18:41.428729057 CET	49726	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:18:41.428798914 CET	443	49726	142.251.215.228	192.168.2.7
Nov 14, 2023 11:18:41.429377079 CET	443	49726	142.251.215.228	192.168.2.7
Nov 14, 2023 11:18:41.430681944 CET	49726	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:18:41.430789948 CET	443	49726	142.251.215.228	192.168.2.7
Nov 14, 2023 11:18:41.474155903 CET	49726	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:18:51.444832087 CET	443	49726	142.251.215.228	192.168.2.7
Nov 14, 2023 11:18:51.444989920 CET	443	49726	142.251.215.228	192.168.2.7
Nov 14, 2023 11:18:51.445071936 CET	49726	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:18:51.745543957 CET	49726	443	192.168.2.7	142.251.215.228
Nov 14, 2023 11:18:51.745583057 CET	443	49726	142.251.215.228	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2023 11:17:37.516011953 CET	61374	53	192.168.2.7	1.1.1.1
Nov 14, 2023 11:17:37.516244888 CET	58582	53	192.168.2.7	1.1.1.1
Nov 14, 2023 11:17:37.516788960 CET	56566	53	192.168.2.7	1.1.1.1
Nov 14, 2023 11:17:37.517035007 CET	65493	53	192.168.2.7	1.1.1.1
Nov 14, 2023 11:17:37.662142992 CET	53	63473	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:37.668587923 CET	53	61374	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:37.669023037 CET	53	56566	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:37.669178963 CET	53	65493	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:37.669301987 CET	53	58582	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:38.555222988 CET	53	52218	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:39.508416891 CET	60981	53	192.168.2.7	1.1.1.1
Nov 14, 2023 11:17:39.508721113 CET	56066	53	192.168.2.7	1.1.1.1
Nov 14, 2023 11:17:39.792922974 CET	53	60981	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:39.802192926 CET	53	56066	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:40.654994965 CET	123	123	192.168.2.7	168.61.215.74
Nov 14, 2023 11:17:40.859075069 CET	123	123	168.61.215.74	192.168.2.7
Nov 14, 2023 11:17:41.047125101 CET	64048	53	192.168.2.7	1.1.1.1
Nov 14, 2023 11:17:41.047395945 CET	51953	53	192.168.2.7	1.1.1.1
Nov 14, 2023 11:17:41.199904919 CET	53	51953	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:41.200079918 CET	53	64048	1.1.1.1	192.168.2.7
Nov 14, 2023 11:17:55.666706085 CET	53	57466	1.1.1.1	192.168.2.7
Nov 14, 2023 11:18:14.557979107 CET	53	55007	1.1.1.1	192.168.2.7
Nov 14, 2023 11:18:34.724932909 CET	138	138	192.168.2.7	192.168.2.255
Nov 14, 2023 11:18:36.709557056 CET	53	64887	1.1.1.1	192.168.2.7
Nov 14, 2023 11:18:37.690577030 CET	53	59775	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 14, 2023 11:17:37.516011953 CET	192.168.2.7	1.1.1.1	0xfa33	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:37.516244888 CET	192.168.2.7	1.1.1.1	0x9aa	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Nov 14, 2023 11:17:37.516788960 CET	192.168.2.7	1.1.1.1	0x2b8f	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:37.517035007 CET	192.168.2.7	1.1.1.1	0x4703	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Nov 14, 2023 11:17:39.508416891 CET	192.168.2.7	1.1.1.1	0x1599	Standard query (0)	ftps.phishing.guru	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:39.508721113 CET	192.168.2.7	1.1.1.1	0x72d1	Standard query (0)	ftps.phishing.guru	65	IN (0x0001)	false
Nov 14, 2023 11:17:41.047125101 CET	192.168.2.7	1.1.1.1	0x1a31	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:41.047395945 CET	192.168.2.7	1.1.1.1	0xc229	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 14, 2023 11:17:37.668587923 CET	1.1.1.1	192.168.2.7	0xfa33	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 14, 2023 11:17:37.668587923 CET	1.1.1.1	192.168.2.7	0xfa33	No error (0)	clients.l.google.com		142.251.215.238	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:37.669023037 CET	1.1.1.1	192.168.2.7	0x2b8f	No error (0)	accounts.google.com		142.250.217.77	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:37.669301987 CET	1.1.1.1	192.168.2.7	0x9aa	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 14, 2023 11:17:39.792922974 CET	1.1.1.1	192.168.2.7	0x1599	No error (0)	ftps.phishing.guru	landing.eu.knowbe4.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 14, 2023 11:17:39.792922974 CET	1.1.1.1	192.168.2.7	0x1599	No error (0)	landing.eu.knowbe4.com		54.77.60.91	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:39.792922974 CET	1.1.1.1	192.168.2.7	0x1599	No error (0)	landing.eu.knowbe4.com		54.155.116.163	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:39.792922974 CET	1.1.1.1	192.168.2.7	0x1599	No error (0)	landing.eu.knowbe4.com		63.32.165.17	A (IP address)	IN (0x0001)	false
Nov 14, 2023 11:17:39.802192926 CET	1.1.1.1	192.168.2.7	0x72d1	No error (0)	ftps.phishing.guru	landing.eu.knowbe4.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 14, 2023 11:17:41.199904919 CET	1.1.1.1	192.168.2.7	0xc229	No error (0)	www.google.com			65	IN (0x0001)	false
Nov 14, 2023 11:17:41.200079918 CET	1.1.1.1	192.168.2.7	0x1a31	No error (0)	www.google.com		142.251.215.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

ftps.phishing.guru

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49703	142.250.217.77	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:38 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=nNadqW9uTcY0OP6I3afnr71o6EzaYLsdpW4UEYN3vYq_rbRrNFxM1jozPGuhjORBZKKMz2tdDpVe7dNuTWp4CyK-zt5Is6wVElveWAfKQgwNJiKKtXHCCCmrlgzZTl5CiKjTeA2iQqf6zlRK2h8wg1hVpIsWsaKqaWJyHMPF3JA
2023-11-14 10:17:38 UTC	0	OUT	Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49704	142.251.215.238	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:38 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.134&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.134 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	142.250.217.77	443	192.168.2.7	49703	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:38 UTC	1	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 14 Nov 2023 10:17:38 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-8oZza5IXgzglWYP3w9li9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-11-14 10:17:38 UTC	2	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-11-14 10:17:38 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	142.251.215.238	443	192.168.2.7	49704	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:38 UTC	3	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-xeuaJlflsalh2roaZh-Ksw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 14 Nov 2023 10:17:38 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6161 X-Daystart: 8258 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-11-14 10:17:38 UTC	3	IN	Data Raw: 32 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 36 31 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 38 32 35 38 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 20 Data Ascii: 2c8<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6161" elapsed_seconds="8258"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-11-14 10:17:38 UTC	4	IN	Data Raw: 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 3f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-11-14 10:17:38 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49709	54.77.60.91	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:40 UTC	4	OUT	GET /XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639 HTTP/1.1 Host: ftps.phishing.guru Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	54.77.60.91	443	192.168.2.7	49709	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:41 UTC	5	IN	HTTP/1.1 200 OK Date: Tue, 14 Nov 2023 10:17:41 GMT Content-Type: image/gif Content-Length: 43 Connection: close X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer-when-downgrade Content-Disposition: attachment Content-Transfer-Encoding: binary Cache-Control: private ETag: W/"a065920df8cc4016d67c3a464be90099" Content-Security-Policy: X-Request-Id: 5cbdb6e9-579b-4cc6-a212-b5b0df532b1a X-Runtime: 0.111361 Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
2023-11-14 10:17:41 UTC	6	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 f0 00 00 00 00 00 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b Data Ascii: GIF89a!,D;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49712	173.222.228.121	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:42 UTC	6	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-11-14 10:17:43 UTC	6	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (sac/2518) X-CID: 11 Cache-Control: public, max-age=177967 Date: Tue, 14 Nov 2023 10:17:43 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49713	173.222.228.121	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:43 UTC	6	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-11-14 10:17:43 UTC	6	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0gZGqYgAAAAALDuImPJT0QKVHnlugaXU1UERYMzFFREdFMDIxMgBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=177975 Date: Tue, 14 Nov 2023 10:17:43 GMT Content-Length: 55 Connection: close X-CID: 2
2023-11-14 10:17:43 UTC	7	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.7	49715	40.127.169.103	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:17:55 UTC	7	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1BrL9kHnvOxH3UA&MD=DC7FpwuW HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-14 10:17:55 UTC	7	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: c0cb44de-5e28-4c17-b8e8-60670f92d4c5 MS-RequestId: 600da9ae-8be8-44c1-808e-587497cc7030 MS-CV: GC6BMk6NOk+2rVsL.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 14 Nov 2023 10:17:54 GMT Connection: close Content-Length: 24490
2023-11-14 10:17:55 UTC	8	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2023-11-14 10:17:55 UTC	23	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.7	49722	40.127.169.103	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-14 10:18:35 UTC	32	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1BrL9kHnvOxH3UA&MD=DC7FpwuW HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-14 10:18:35 UTC	32	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 7c3e7d61-9876-4fad-adf0-c56312fc1c39 MS-RequestId: 28e7c565-a134-4b19-96fb-2988bb221985 MS-CV: F0rjOJMYJEWsFLEz.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 14 Nov 2023 10:18:35 GMT Connection: close Content-Length: 25457
2023-11-14 10:18:35 UTC	33	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2023-11-14 10:18:35 UTC	48	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe
• mspaint.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe
• mspaint.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	1
Start time:	11:17:33
Start date:	14/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:17:35
Start date:	14/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2580 --field-trial-handle=2540,i,14340149038064431546,5564073637357537251,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	11:17:38
Start date:	14/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ftps.phishing.guru/XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:29:54
Start date:	14/11/2023
Path:	C:\Windows\SysWOW64\mspaint.exe
Wow64 process (32bit):	true
Commandline:	mspaint.exe "C:\Users\user\Desktop\"
Imagebase:	0x570000
File size:	743'424 bytes
MD5 hash:	986A191E95952C9E3FE6BE112FB92026
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.134&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.134Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /XTUdORk5XcG5XbXhGWmxwR1ZXeHZkRWhzYTNCYVRrMURMMGhEZERSV2R6TXJaMVpISzBkR1NtMTFiV040WlhCWWJVMVhTa2RzUW5rMWFWTk1WbVJTZVVkbFdHNXdWVmhOY0doVU5WQjJlR0paVjJweFJFOXJZMWt3ZWxaNlJVWnBMMGRwZW1ocVIzaEZibWhVUWpsaFExUTBkblEzVFM5cFEwRktTVVIwT1RFdExYTlRkRXRSWnpaamNUUklVR2hwYmtveEwzRmFXSGM5UFE9PS0tMTU4NjM4NjZjODMxOTg2ZGNhYzkyN2VhNTQwOTdkOTcxMzFhMjdiOA==?cid=208072639 HTTP/1.1Host: ftps.phishing.guruConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1BrL9kHnvOxH3UA&MD=DC7FpwuW HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1BrL9kHnvOxH3UA&MD=DC7FpwuW HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.228.121
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

C:\Users\user\Downloads\74c3e23c-8f4f-4a91-8bc2-4a81b270d9df.tmp

C:\Windows\debug\WIA\wiatrace.log

Chrome Cache Entry: 49

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: chrome.exePID: 6116, Parent PID: 6076

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted