Edit tour

Windows Analysis Report
http://trk.klclick2.com

Overview

General Information

Sample URL:	http://trk.klclick2.com
Analysis ID:	1347134
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Creates files inside the system directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5880 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5432 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=2196,i,16364107407184605009,10794211104587098240,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3964 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "http://trk.klclick2.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

Source: unknown	HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_5880_39601534

Jump to behavior

Source: classification engine

Classification label: clean1.win@16/8@8/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=2196,i,16364107407184605009,10794211104587098240,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "http://trk.klclick2.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=2196,i,16364107407184605009,10794211104587098240,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://trk.klclick2.com	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label	Link
http://trk.klclick2.com/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
trk.klclick2.com	18.160.41.48	true	false	unknown
accounts.google.com	172.253.63.84	true	false	high
www.google.com	142.251.16.103	true	false	high
clients.l.google.com	142.251.167.139	true	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false		high
http://trk.klclick2.com/	false		unknown
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
http://trk.klclick2.com/	false		unknown
http://trk.klclick2.com/favicon.ico	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.253.63.84	accounts.google.com	United States	15169	GOOGLEUS	false
142.251.16.103	www.google.com	United States	15169	GOOGLEUS	false
18.160.41.48	trk.klclick2.com	United States	3	MIT-GATEWAYSUS	false
142.251.167.139	clients.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1347134
Start date and time:	2023-11-23 23:57:28 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://trk.klclick2.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@16/8@8/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.253.63.94, 34.104.35.123, 8.253.45.239, 72.21.81.240, 192.229.211.108, 172.253.122.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://trk.klclick2.com

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 23 21:58:24 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9760158473358063
Encrypted:	false
SSDEEP:	48:8qed5Thp3HpidAKZdA19ehwiZUklqehny+3:8qIvLUy
MD5:	0BC22AE503C51C6923A8172869817CC2
SHA1:	D5860D6DA75BDAF66847B3BB55CEADCB2BB7C80A
SHA-256:	AAFD45F44B4BBADA46B46096E4DB680A91595D41EC27FBC3B59CF97848209080
SHA-512:	8D6FE826F49A60C8E587A4EA9A2534B539FABE02C17CFF7F151F38A463E40313F57A842C36575A4C88309A00F5B2AB390172AB1C8185BA19182F3DA57E28D7C6
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......,.`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwWI.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VwWI.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VwWI.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VwWI............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VwWM............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............a.t.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 23 21:58:24 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.988780125787437
Encrypted:	false
SSDEEP:	48:88d5Thp3HpidAKZdA1weh/iZUkAQkqehEy+2:8qv59QVy
MD5:	DAC1391AA6288D4048CE2A0AA1DA205D
SHA1:	181FAA7E45B90FF565C96FFBE22C642911CFC533
SHA-256:	9954179226026C35493C69E5A9B410035F5C7CDE4DBE66FDB3F9D588F0E07D9C
SHA-512:	F882FC400C457B3F4C52B146D74C6E9E18C90850F7B7B6BEA7B918A539CE2DBB8ABFB932ED620B401976EFCDA77EF73E54A0FE3D86D6FB0EEACE772A5CEEC0F8
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....M..`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwWI.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VwWI.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VwWI.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VwWI............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VwWM............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............a.t.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.000351457770333
Encrypted:	false
SSDEEP:	48:8x6d5ThpsHpidAKZdA14tseh7sFiZUkmgqeh7sqy+BX:8xcvcnwy
MD5:	FD04A3FC04BA18C9536927988AA47CBA
SHA1:	348703001B05601246DA90AFA66CFC0199715B99
SHA-256:	7E10FEDCD736978A7BB21D0466827BAE095A5EDDA8DF34F6D3FF9CE1033AE8CF
SHA-512:	7F62AFC538A27C3081C3D91A05E47B3E50539A43A41C3606E8BE5EFA51C250835FB8D41F8545F870B71EF971E48C521013A346FDCC65777B6D1CBD513C715FA2
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwWI.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VwWI.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VwWI.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VwWI............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............a.t.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 23 21:58:24 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9892213149237183
Encrypted:	false
SSDEEP:	48:8qd5Thp3HpidAKZdA1vehDiZUkwqehIy+R:8svaiy
MD5:	E616C42D617666D7E1C634DECC00D03D
SHA1:	A68937D1A6067DD113AA6E6D84666BFDD27AA462
SHA-256:	978C89DD18427D8EF244679D10437464BB99E98BC4E115FF38371DDBA951496D
SHA-512:	0FE0CA2C740D1445EE5443E01F0433224D49843426459934B19430CA2099E9AA5025A0B454548711EBF9A54E6719D59DFAF149F7397CB4E1DBDF06F9173DF42C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....&..`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwWI.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VwWI.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VwWI.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VwWI............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VwWM............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............a.t.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 23 21:58:24 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9769713587990525
Encrypted:	false
SSDEEP:	48:8zd5Thp3HpidAKZdA1hehBiZUk1W1qehGy+C:8bva9my
MD5:	61377A19D6903B30184D4B735D9F249A
SHA1:	35A69B2EFD29599197E60F2E5ED28FD8EA6577E5
SHA-256:	27E87E42B77C6DF0E8EC1A35E27570693E18DB66E748FAA770A07DB495B69C28
SHA-512:	0B77C573AF79DD454EE78852FAA7F93D31CE0DB7CF59F5E5BDC621BD710178B8EF55F12D53FEA57E3EF0374634E09271C2FFEDA30B94A17A3D67BF453ABE478A
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....t#.`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwWI.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VwWI.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VwWI.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VwWI............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VwWM............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............a.t.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 23 21:58:24 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.988354453451151
Encrypted:	false
SSDEEP:	48:8B5d5Thp3HpidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbwy+yT+:8BdvkT/TbxWOvTbwy7T
MD5:	4161B770BFB3AAE5CEA97AC195B35D1C
SHA1:	254FD434054182EF2D52C080C6FB6AAEF63A9376
SHA-256:	7F8F061DC0D539FB3B18D5C9245FDB64446DB820C420E3993BB61A10C06F688D
SHA-512:	302BA6A0CE29CB6644A54A82349204052A20A867998AF43D58AFD6BE9D82F59A6C618204A609263AAAC0F4D3DEAA335BA21524707B45CEF350E37D4128047C01
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........`...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwWI.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VwWI.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VwWI.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VwWI............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VwWM............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............a.t.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 66

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	564
Entropy (8bit):	4.72971822420855
Encrypted:	false
SSDEEP:	12:TjeRHdHiHZdtklI5r8INGlTF5TF5TF5TF5TF5TFK:neRH988DTPTPTPTPTPTc
MD5:	8E325DC2FEA7C8900FC6C4B8C6C394FE
SHA1:	1B3291D4EEA179C84145B2814CB53E6A506EC201
SHA-256:	0B52C5338AF355699530A47683420E48C7344E779D3E815FF9943CBFDC153CF2
SHA-512:	084C608F1F860FB08EF03B155658EA9988B3628D3C0F0E9561FDFF930E5912004CDDBCC43B1FA90C21FE7F5A481AC47C64B8CAA066C2BDF3CF533E152BF96C14
Malicious:	false
Reputation:	low
URL:	http://trk.klclick2.com/
Preview:	<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

Chrome Cache Entry: 67

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	564
Entropy (8bit):	4.72971822420855
Encrypted:	false
SSDEEP:	12:TjeRHdHiHZdtklI5r8INGlTF5TF5TF5TF5TF5TFK:neRH988DTPTPTPTPTPTc
MD5:	8E325DC2FEA7C8900FC6C4B8C6C394FE
SHA1:	1B3291D4EEA179C84145B2814CB53E6A506EC201
SHA-256:	0B52C5338AF355699530A47683420E48C7344E779D3E815FF9943CBFDC153CF2
SHA-512:	084C608F1F860FB08EF03B155658EA9988B3628D3C0F0E9561FDFF930E5912004CDDBCC43B1FA90C21FE7F5A481AC47C64B8CAA066C2BDF3CF533E152BF96C14
Malicious:	false
Reputation:	low
URL:	http://trk.klclick2.com/favicon.ico
Preview:	<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

Total Packets: 124
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2023 23:58:16.543574095 CET	49675	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:16.554270029 CET	49674	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:16.637257099 CET	49673	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:23.375025034 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.375066042 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.375150919 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.376993895 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.377022982 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.377079010 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.378478050 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.378494024 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.378703117 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.378715992 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.620095968 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.620481014 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.620507956 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.621428013 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.621588945 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.621617079 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.622024059 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.622092009 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.622093916 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.622147083 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.622999907 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.623059988 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.624982119 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.625053883 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.626112938 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.626120090 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.626290083 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.626364946 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.626507998 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.626518965 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.738293886 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.738322973 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.805721998 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.805835962 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.805906057 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.806449890 CET	49705	443	192.168.2.5	142.251.167.139
Nov 23, 2023 23:58:23.806478977 CET	443	49705	142.251.167.139	192.168.2.5
Nov 23, 2023 23:58:23.834095955 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.834222078 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:23.834290028 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.835504055 CET	49704	443	192.168.2.5	172.253.63.84
Nov 23, 2023 23:58:23.835525990 CET	443	49704	172.253.63.84	192.168.2.5
Nov 23, 2023 23:58:24.666856050 CET	49709	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:24.676023006 CET	49710	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:24.760569096 CET	80	49709	18.160.41.48	192.168.2.5
Nov 23, 2023 23:58:24.760703087 CET	49709	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:24.760992050 CET	49709	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:24.769903898 CET	80	49710	18.160.41.48	192.168.2.5
Nov 23, 2023 23:58:24.769984961 CET	49710	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:24.854724884 CET	80	49709	18.160.41.48	192.168.2.5
Nov 23, 2023 23:58:24.857903957 CET	80	49709	18.160.41.48	192.168.2.5
Nov 23, 2023 23:58:24.930509090 CET	49709	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:25.070203066 CET	80	49709	18.160.41.48	192.168.2.5
Nov 23, 2023 23:58:25.229737997 CET	80	49709	18.160.41.48	192.168.2.5
Nov 23, 2023 23:58:25.285806894 CET	49709	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:26.129107952 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:26.129154921 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:26.129215002 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:26.129923105 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:26.129940987 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:26.145426989 CET	49675	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:26.161063910 CET	49674	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:26.242021084 CET	49673	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:26.325826883 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:26.326347113 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:26.326366901 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:26.327389956 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:26.327476978 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:26.328775883 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:26.328836918 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:26.379719973 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:26.379731894 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:26.426765919 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:27.605818033 CET	443	49703	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:27.605917931 CET	49703	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:28.434664011 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.434685946 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.434755087 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.438616991 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.438627958 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.635343075 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.635561943 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.637933969 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.637937069 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.638161898 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.691215992 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.696357012 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.737299919 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.817348957 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.817524910 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.817557096 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.817570925 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.817593098 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.817598104 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.817616940 CET	49715	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.817620993 CET	443	49715	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.855638981 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.855688095 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:28.855775118 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.857007027 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:28.857026100 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:29.049559116 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:29.049741030 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:29.052654028 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:29.052660942 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:29.052889109 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:29.055069923 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:29.101262093 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:29.236620903 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:29.236726999 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:29.236892939 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:29.242350101 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:29.242377043 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:29.242410898 CET	49716	443	192.168.2.5	23.56.8.114
Nov 23, 2023 23:58:29.242417097 CET	443	49716	23.56.8.114	192.168.2.5
Nov 23, 2023 23:58:36.337405920 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:36.337476969 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:36.337594986 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:36.833300114 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:36.833334923 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:36.833422899 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:36.836698055 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:36.836709023 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:37.325995922 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:37.326085091 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:37.332493067 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:37.332501888 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:37.332772970 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:37.387010098 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:37.595668077 CET	49714	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:58:37.595705986 CET	443	49714	142.251.16.103	192.168.2.5
Nov 23, 2023 23:58:37.967175007 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.013248920 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.028285980 CET	49703	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.028410912 CET	49703	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.028805017 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.028821945 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.028898001 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.029222965 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.029232025 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.181641102 CET	443	49703	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.181741953 CET	443	49703	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.285298109 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285317898 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285325050 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285337925 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285343885 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285350084 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285379887 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.285393953 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285557032 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285571098 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.285571098 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.285578012 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285587072 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285617113 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.285623074 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.285630941 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.285664082 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.345963001 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.346057892 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.360982895 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.360991955 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.361282110 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.361335039 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.361763954 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.361787081 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.361918926 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.361924887 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.518265009 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.518279076 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.518321037 CET	49717	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:58:38.518327951 CET	443	49717	20.114.59.183	192.168.2.5
Nov 23, 2023 23:58:38.689941883 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.690000057 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.690434933 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.690478086 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.690480947 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.690526962 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.943512917 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.943543911 CET	443	49722	23.1.237.91	192.168.2.5
Nov 23, 2023 23:58:38.943563938 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:38.943613052 CET	49722	443	192.168.2.5	23.1.237.91
Nov 23, 2023 23:58:54.864751101 CET	80	49710	18.160.41.48	192.168.2.5
Nov 23, 2023 23:58:54.864836931 CET	49710	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:55.600287914 CET	49710	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:58:55.694171906 CET	80	49710	18.160.41.48	192.168.2.5
Nov 23, 2023 23:59:10.238253117 CET	49709	80	192.168.2.5	18.160.41.48
Nov 23, 2023 23:59:10.332341909 CET	80	49709	18.160.41.48	192.168.2.5
Nov 23, 2023 23:59:15.071561098 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:15.071614981 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:15.071691036 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:15.072763920 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:15.072782040 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:15.548202991 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:15.548299074 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:15.556560040 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:15.556577921 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:15.556787014 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:15.570754051 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:15.617268085 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:16.017503977 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:16.017534018 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:16.017549992 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:16.017657042 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:16.017703056 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:16.017720938 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:16.017757893 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:16.017807961 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:16.030981064 CET	49725	443	192.168.2.5	20.114.59.183
Nov 23, 2023 23:59:16.031018972 CET	443	49725	20.114.59.183	192.168.2.5
Nov 23, 2023 23:59:26.052723885 CET	49727	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:59:26.052753925 CET	443	49727	142.251.16.103	192.168.2.5
Nov 23, 2023 23:59:26.052845955 CET	49727	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:59:26.053484917 CET	49727	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:59:26.053498983 CET	443	49727	142.251.16.103	192.168.2.5
Nov 23, 2023 23:59:26.249994993 CET	443	49727	142.251.16.103	192.168.2.5
Nov 23, 2023 23:59:26.250593901 CET	49727	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:59:26.250612020 CET	443	49727	142.251.16.103	192.168.2.5
Nov 23, 2023 23:59:26.250941038 CET	443	49727	142.251.16.103	192.168.2.5
Nov 23, 2023 23:59:26.251463890 CET	49727	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:59:26.251527071 CET	443	49727	142.251.16.103	192.168.2.5
Nov 23, 2023 23:59:26.301335096 CET	49727	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:59:36.263015985 CET	443	49727	142.251.16.103	192.168.2.5
Nov 23, 2023 23:59:36.263086081 CET	443	49727	142.251.16.103	192.168.2.5
Nov 23, 2023 23:59:36.263139963 CET	49727	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:59:37.611105919 CET	49727	443	192.168.2.5	142.251.16.103
Nov 23, 2023 23:59:37.611135006 CET	443	49727	142.251.16.103	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2023 23:58:23.222357988 CET	54781	53	192.168.2.5	1.1.1.1
Nov 23, 2023 23:58:23.222851992 CET	53426	53	192.168.2.5	1.1.1.1
Nov 23, 2023 23:58:23.224370956 CET	53052	53	192.168.2.5	1.1.1.1
Nov 23, 2023 23:58:23.224626064 CET	50816	53	192.168.2.5	1.1.1.1
Nov 23, 2023 23:58:23.277918100 CET	53	62629	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:23.346925974 CET	53	54781	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:23.347738981 CET	53	53426	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:23.348683119 CET	53	50816	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:23.349623919 CET	53	53052	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:23.988151073 CET	53	53439	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:24.541193962 CET	50441	53	192.168.2.5	1.1.1.1
Nov 23, 2023 23:58:24.541440010 CET	64953	53	192.168.2.5	1.1.1.1
Nov 23, 2023 23:58:24.665493011 CET	53	50441	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:24.666008949 CET	53	64953	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:26.001902103 CET	49180	53	192.168.2.5	1.1.1.1
Nov 23, 2023 23:58:26.002584934 CET	65221	53	192.168.2.5	1.1.1.1
Nov 23, 2023 23:58:26.126394033 CET	53	49180	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:26.126810074 CET	53	65221	1.1.1.1	192.168.2.5
Nov 23, 2023 23:58:40.983619928 CET	53	57699	1.1.1.1	192.168.2.5
Nov 23, 2023 23:59:00.062304020 CET	53	58201	1.1.1.1	192.168.2.5
Nov 23, 2023 23:59:23.120273113 CET	53	62869	1.1.1.1	192.168.2.5
Nov 23, 2023 23:59:23.560055971 CET	53	61674	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2023 23:58:23.222357988 CET	192.168.2.5	1.1.1.1	0xd428	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:23.222851992 CET	192.168.2.5	1.1.1.1	0x6bf9	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Nov 23, 2023 23:58:23.224370956 CET	192.168.2.5	1.1.1.1	0xb590	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:23.224626064 CET	192.168.2.5	1.1.1.1	0x4c04	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Nov 23, 2023 23:58:24.541193962 CET	192.168.2.5	1.1.1.1	0xf356	Standard query (0)	trk.klclick2.com	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:24.541440010 CET	192.168.2.5	1.1.1.1	0xfbd1	Standard query (0)	trk.klclick2.com	65	IN (0x0001)	false
Nov 23, 2023 23:58:26.001902103 CET	192.168.2.5	1.1.1.1	0x31e5	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:26.002584934 CET	192.168.2.5	1.1.1.1	0x9f0c	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2023 23:58:23.346925974 CET	1.1.1.1	192.168.2.5	0xd428	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2023 23:58:23.346925974 CET	1.1.1.1	192.168.2.5	0xd428	No error (0)	clients.l.google.com		142.251.167.139	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:23.346925974 CET	1.1.1.1	192.168.2.5	0xd428	No error (0)	clients.l.google.com		142.251.167.100	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:23.346925974 CET	1.1.1.1	192.168.2.5	0xd428	No error (0)	clients.l.google.com		142.251.167.102	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:23.346925974 CET	1.1.1.1	192.168.2.5	0xd428	No error (0)	clients.l.google.com		142.251.167.113	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:23.346925974 CET	1.1.1.1	192.168.2.5	0xd428	No error (0)	clients.l.google.com		142.251.167.138	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:23.346925974 CET	1.1.1.1	192.168.2.5	0xd428	No error (0)	clients.l.google.com		142.251.167.101	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:23.347738981 CET	1.1.1.1	192.168.2.5	0x6bf9	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2023 23:58:23.349623919 CET	1.1.1.1	192.168.2.5	0xb590	No error (0)	accounts.google.com		172.253.63.84	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:24.665493011 CET	1.1.1.1	192.168.2.5	0xf356	No error (0)	trk.klclick2.com		18.160.41.48	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:24.665493011 CET	1.1.1.1	192.168.2.5	0xf356	No error (0)	trk.klclick2.com		18.160.41.87	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:24.665493011 CET	1.1.1.1	192.168.2.5	0xf356	No error (0)	trk.klclick2.com		18.160.41.7	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:24.665493011 CET	1.1.1.1	192.168.2.5	0xf356	No error (0)	trk.klclick2.com		18.160.41.10	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:26.126394033 CET	1.1.1.1	192.168.2.5	0x31e5	No error (0)	www.google.com		142.251.16.103	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:26.126394033 CET	1.1.1.1	192.168.2.5	0x31e5	No error (0)	www.google.com		142.251.16.99	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:26.126394033 CET	1.1.1.1	192.168.2.5	0x31e5	No error (0)	www.google.com		142.251.16.106	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:26.126394033 CET	1.1.1.1	192.168.2.5	0x31e5	No error (0)	www.google.com		142.251.16.147	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:26.126394033 CET	1.1.1.1	192.168.2.5	0x31e5	No error (0)	www.google.com		142.251.16.104	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:26.126394033 CET	1.1.1.1	192.168.2.5	0x31e5	No error (0)	www.google.com		142.251.16.105	A (IP address)	IN (0x0001)	false
Nov 23, 2023 23:58:26.126810074 CET	1.1.1.1	192.168.2.5	0x9f0c	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

fs.microsoft.com

slscr.update.microsoft.com

https:

www.bing.com

trk.klclick2.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	18.160.41.48	80	5432	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2023 23:58:24.760992050 CET	485	OUT	GET / HTTP/1.1 Host: trk.klclick2.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Nov 23, 2023 23:58:24.857903957 CET	964	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 564 Connection: keep-alive Server: nginx Date: Thu, 23 Nov 2023 22:58:24 GMT X-Cache: Error from cloudfront Via: 1.1 8b1ca38f6b0e2c14ce8c202175f971a6.cloudfront.net (CloudFront) X-Amz-Cf-Pop: IAD55-P1 X-Amz-Cf-Id: G0NwHfgdeeQ4nJLL3Cof0-nlhWprsq9cNXWhXcoURct2x2LqKxR_MA== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Nov 23, 2023 23:58:24.930509090 CET	430	OUT	GET /favicon.ico HTTP/1.1 Host: trk.klclick2.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://trk.klclick2.com/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Nov 23, 2023 23:58:25.229737997 CET	964	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 564 Connection: keep-alive Server: nginx Date: Thu, 23 Nov 2023 22:58:25 GMT X-Cache: Error from cloudfront Via: 1.1 8b1ca38f6b0e2c14ce8c202175f971a6.cloudfront.net (CloudFront) X-Amz-Cf-Pop: IAD55-P1 X-Amz-Cf-Id: MhM419aMHpGs7pRsM0u2u8ZvntJnCo5sEau5YCXDt_JQPC_LhJGWrQ== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Nov 23, 2023 23:59:10.238253117 CET	60	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.253.63.84	443	5432	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2023-11-23 22:58:23 UTC	680	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
2023-11-23 22:58:23 UTC	1	OUT	Data Raw: 20 Data Ascii:
2023-11-23 22:58:23 UTC	1627	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 41 63 63 65 73 73 2d 43 6f 6e 74 72 6f 6c 2d 41 6c 6c 6f 77 2d 4f 72 69 67 69 6e 3a 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a 41 63 63 65 73 73 2d 43 6f 6e 74 72 6f 6c 2d 41 6c 6c 6f 77 2d 43 72 65 64 65 6e 74 69 61 6c 73 3a 20 74 72 75 65 0d 0a 58 2d 43 6f 6e 74 65 6e 74 2d 54 79 70 65 2d 4f 70 74 69 6f 6e 73 3a 20 6e 6f 73 6e 69 66 66 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 65 0d 0a 50 72 Data Ascii: HTTP/1.1 200 OKContent-Type: application/json; charset=utf-8Access-Control-Allow-Origin: https://www.google.comAccess-Control-Allow-Credentials: trueX-Content-Type-Options: nosniffCache-Control: no-cache, no-store, max-age=0, must-revalidatePr
2023-11-23 22:58:23 UTC	23	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-11-23 22:58:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	142.251.167.139	443	5432	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2023-11-23 22:58:23 UTC	752	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.132 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-11-23 22:58:23 UTC	732	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 73 63 72 69 70 74 2d 73 72 63 20 27 72 65 70 6f 72 74 2d 73 61 6d 70 6c 65 27 20 27 6e 6f 6e 63 65 2d 6d 44 2d 56 46 54 63 4e 74 55 47 6a 4f 7a 33 34 65 50 6a 30 42 51 27 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 20 27 73 74 72 69 63 74 2d 64 79 6e 61 6d 69 63 27 20 68 74 74 70 73 3a 20 68 74 74 70 3a 3b 6f 62 6a 65 63 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 72 65 70 6f 72 74 2d 75 72 69 20 68 74 74 70 73 3a 2f 2f 63 73 70 2e 77 69 74 68 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 73 70 2f 63 6c 69 65 6e 74 75 70 64 61 74 65 2d 61 75 73 2f 31 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c Data Ascii: HTTP/1.1 200 OKContent-Security-Policy: script-src 'report-sample' 'nonce-mD-VFTcNtUGjOz34ePj0BQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1Cache-Control
2023-11-23 22:58:23 UTC	520	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 37 30 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 35 33 39 30 33 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6170" elapsed_seconds="53903"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-11-23 22:58:23 UTC	200	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-11-23 22:58:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	23.56.8.114	443

Timestamp	Bytes transferred	Direction	Data
2023-11-23 22:58:28 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-11-23 22:58:28 UTC	436	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 41 70 69 56 65 72 73 69 6f 6e 3a 20 44 69 73 74 72 69 62 75 74 65 20 31 2e 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 6e 66 69 67 2e 6a 73 6f 6e 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 55 54 46 2d 38 27 27 63 6f 6e 66 69 67 2e 6a 73 6f 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 45 54 61 67 3a 20 22 30 78 36 34 36 36 37 46 37 30 37 46 46 30 37 44 36 32 42 37 33 33 44 42 43 42 37 39 45 46 45 33 38 35 35 45 36 38 38 36 43 39 39 37 35 42 30 43 30 42 34 36 37 44 34 36 32 33 31 42 33 46 41 35 45 37 22 0d 0a 4c 61 73 74 2d 4d 6f 64 69 Data Ascii: HTTP/1.1 200 OKApiVersion: Distribute 1.1Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.jsonContent-Type: application/octet-streamETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"Last-Modi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	23.56.8.114	443

Timestamp	Bytes transferred	Direction	Data
2023-11-23 22:58:29 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-11-23 22:58:29 UTC	531	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 54 75 65 2c 20 31 36 20 4d 61 79 20 32 30 31 37 20 32 32 3a 35 38 3a 30 30 20 47 4d 54 0d 0a 45 54 61 67 3a 20 22 30 78 36 34 36 36 37 46 37 30 37 46 46 30 37 44 36 32 42 37 33 33 44 42 43 42 37 39 45 46 45 33 38 35 35 45 36 38 38 36 43 39 39 37 35 42 30 43 30 42 34 36 37 44 34 36 32 33 31 42 33 46 41 35 45 37 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 41 70 69 56 65 72 73 69 6f 6e 3a 20 44 69 73 74 72 69 62 75 74 65 20 31 2e 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 6e 66 69 67 Data Ascii: HTTP/1.1 200 OKLast-Modified: Tue, 16 May 2017 22:58:00 GMTETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"Content-Type: application/octet-streamApiVersion: Distribute 1.1Content-Disposition: attachment; filename=config
2023-11-23 22:58:29 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2023-11-23 22:58:37 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PUhwr1uzg5zLGlY&MD=caRXVTWM HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-23 22:58:38 UTC	560	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 45 78 70 69 72 65 73 3a 20 2d 31 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 4d 6f 6e 2c 20 30 31 20 4a 61 6e 20 30 30 30 31 20 30 30 3a 30 30 3a 30 30 20 47 4d 54 0d 0a 45 54 61 67 3a 20 22 58 41 6f 70 61 7a 56 30 30 58 44 57 6e 4a 43 77 6b 6d 45 57 52 76 36 4a 6b 62 6a 52 41 39 51 53 53 5a 32 2b 65 2f 33 4d 7a 45 6b 3d 5f 32 38 38 30 22 0d 0a 4d 53 2d 43 6f 72 72 65 6c 61 74 69 6f 6e 49 64 3a 20 37 38 39 66 30 39 34 61 2d 37 62 66 38 2d 34 36 39 63 2d Data Ascii: HTTP/1.1 200 OKCache-Control: no-cachePragma: no-cacheContent-Type: application/octet-streamExpires: -1Last-Modified: Mon, 01 Jan 0001 00:00:00 GMTETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"MS-CorrelationId: 789f094a-7bf8-469c-
2023-11-23 22:58:38 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2023-11-23 22:58:38 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.5	49722	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2023-11-23 22:58:38 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2483 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1700780286039&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2023-11-23 22:58:38 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2023-11-23 22:58:38 UTC	2482	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2023-11-23 22:58:38 UTC	475	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 34 20 4e 6f 20 43 6f 6e 74 65 6e 74 0d 0a 41 63 63 65 73 73 2d 43 6f 6e 74 72 6f 6c 2d 41 6c 6c 6f 77 2d 4f 72 69 67 69 6e 3a 20 2a 0d 0a 41 63 63 65 70 74 2d 43 48 3a 20 53 65 63 2d 43 48 2d 55 41 2d 41 72 63 68 2c 20 53 65 63 2d 43 48 2d 55 41 2d 42 69 74 6e 65 73 73 2c 20 53 65 63 2d 43 48 2d 55 41 2d 46 75 6c 6c 2d 56 65 72 73 69 6f 6e 2c 20 53 65 63 2d 43 48 2d 55 41 2d 46 75 6c 6c 2d 56 65 72 73 69 6f 6e 2d 4c 69 73 74 2c 20 53 65 63 2d 43 48 2d 55 41 2d 4d 6f 62 69 6c 65 2c 20 53 65 63 2d 43 48 2d 55 41 2d 4d 6f 64 65 6c 2c 20 53 65 63 2d 43 48 2d 55 41 2d 50 6c 61 74 66 6f 72 6d 2c 20 53 65 63 2d 43 48 2d 55 41 2d 50 6c 61 74 66 6f 72 6d 2d 56 65 72 73 69 6f 6e 0d 0a 58 2d 4d 53 45 64 67 65 2d 52 65 66 3a 20 52 65 Data Ascii: HTTP/1.1 204 No ContentAccess-Control-Allow-Origin: *Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionX-MSEdge-Ref: Re

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49725	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2023-11-23 22:59:15 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PUhwr1uzg5zLGlY&MD=caRXVTWM HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-23 22:59:16 UTC	560	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 45 78 70 69 72 65 73 3a 20 2d 31 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 4d 6f 6e 2c 20 30 31 20 4a 61 6e 20 30 30 30 31 20 30 30 3a 30 30 3a 30 30 20 47 4d 54 0d 0a 45 54 61 67 3a 20 22 4d 78 31 52 6f 4a 48 2f 71 45 77 70 57 66 4b 6c 6c 78 37 73 62 73 6c 32 38 41 75 45 52 7a 35 49 59 64 63 73 76 74 54 4a 63 67 4d 3d 5f 32 31 36 30 22 0d 0a 4d 53 2d 43 6f 72 72 65 6c 61 74 69 6f 6e 49 64 3a 20 38 39 33 64 39 64 30 61 2d 31 37 31 34 2d 34 30 36 37 2d Data Ascii: HTTP/1.1 200 OKCache-Control: no-cachePragma: no-cacheContent-Type: application/octet-streamExpires: -1Last-Modified: Mon, 01 Jan 0001 00:00:00 GMTETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160"MS-CorrelationId: 893d9d0a-1714-4067-
2023-11-23 22:59:16 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2023-11-23 22:59:16 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	23:58:16
Start date:	23/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:58:19
Start date:	23/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=2196,i,16364107407184605009,10794211104587098240,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	23:58:23
Start date:	23/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "http://trk.klclick2.com
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PUhwr1uzg5zLGlY&MD=caRXVTWM HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PUhwr1uzg5zLGlY&MD=caRXVTWM HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: trk.klclick2.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: trk.klclick2.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://trk.klclick2.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 564Connection: keep-aliveServer: nginxDate: Thu, 23 Nov 2023 22:58:24 GMTX-Cache: Error from cloudfrontVia: 1.1 8b1ca38f6b0e2c14ce8c202175f971a6.cloudfront.net (CloudFront)X-Amz-Cf-Pop: IAD55-P1X-Amz-Cf-Id: G0NwHfgdeeQ4nJLL3Cof0-nlhWprsq9cNXWhXcoURct2x2LqKxR_MA==Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 564Connection: keep-aliveServer: nginxDate: Thu, 23 Nov 2023 22:58:25 GMTX-Cache: Error from cloudfrontVia: 1.1 8b1ca38f6b0e2c14ce8c202175f971a6.cloudfront.net (CloudFront)X-Amz-Cf-Pop: IAD55-P1X-Amz-Cf-Id: MhM419aMHpGs7pRsM0u2u8ZvntJnCo5sEau5YCXDt_JQPC_LhJGWrQ==Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://trk.klclick2.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5880, Parent PID: 5764

General

File Activities

File Opened

File Created

File Deleted

Windows Analysis Report
http://trk.klclick2.com