Edit tour

Windows Analysis Report
http://imp.impdelivery.xyz

Overview

General Information

Sample URL:	http://imp.impdelivery.xyz
Analysis ID:	1348940
Infos:

Detection

Score:	20
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Performs DNS queries to domains with low reputation

Creates files inside the system directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2416 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2224,i,1250223647325735963,690844727406367763,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6328 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "http://imp.impdelivery.xyz MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.24.0date: Mon, 27 Nov 2023 22:26:53 GMTcontent-type: application/json; charset=utf-8content-length: 83Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 52 6f 75 74 65 20 47 45 54 3a 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 22 65 72 72 6f 72 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 7d Data Ascii: {"message":"Route GET:/favicon.ico not found","error":"Not Found","statusCode":404}

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk

Source: unknown	HTTPS traffic detected: 23.222.194.90:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.222.194.90:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_2416_1067105043

Jump to behavior

Source: classification engine

Classification label: sus20.troj.win@16/2@8/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2224,i,1250223647325735963,690844727406367763,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "http://imp.impdelivery.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2224,i,1250223647325735963,690844727406367763,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://imp.impdelivery.xyz	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label	Link
http://imp.impdelivery.xyz/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
imp.impdelivery.xyz	146.190.184.242	true	true	unknown
accounts.google.com	172.253.122.84	true	false	high
www.google.com	172.253.63.103	true	false	high
clients.l.google.com	142.251.167.102	true	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://imp.impdelivery.xyz/	false		unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false		high
http://imp.impdelivery.xyz/favicon.ico	false	Avira URL Cloud: safe	unknown
http://imp.impdelivery.xyz/	false		unknown
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
146.190.184.242	imp.impdelivery.xyz	United States	702	UUNETUS	true
142.251.167.102	clients.l.google.com	United States	15169	GOOGLEUS	false
172.253.122.84	accounts.google.com	United States	15169	GOOGLEUS	false
172.253.63.103	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1348940
Start date and time:	2023-11-27 23:26:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://imp.impdelivery.xyz
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus20.troj.win@16/2@8/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.253.62.94, 34.104.35.123, 8.249.225.254, 192.229.211.108, 172.253.63.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://imp.impdelivery.xyz

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	downloaded
Size (bytes):	83
Entropy (8bit):	4.577056908247908
Encrypted:	false
SSDEEP:	3:YIzXl0fELLMr7exaLjJp2ERh2in:YIjl0aLMr7exSJp2Eein
MD5:	40E091AE8A82A69BE213D095D414B1D5
SHA1:	674CC4D453E76E87D24AD971D001D16B5F7F81B1
SHA-256:	39865FBFC83556C699194CE30FF5B84B4D21EC54B1D2E4495F65352D83AF0657
SHA-512:	64A024B7160A1DBF17D4874250554AE394B766C95779B9F2FE473060328506ED4538E0A5EF268B55CCA7E5D1B8893F5ACA3AB6B2BC498FAC1266B83FB30533B3
Malicious:	false
Reputation:	low
URL:	http://imp.impdelivery.xyz/favicon.ico
Preview:	{"message":"Route GET:/favicon.ico not found","error":"Not Found","statusCode":404}

Chrome Cache Entry: 41

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	24
Entropy (8bit):	3.5220552088742005
Encrypted:	false
SSDEEP:	3:+SBAEOWRIqn:+YHOWRdn
MD5:	835D55C897CC0AD8045AE3D77E995B15
SHA1:	3B7F464E746BF4D3B23FD574EAC5A6A38AEED102
SHA-256:	6E11E45326C51005060F339202F879E7EAB862F0FE9EB5DF5F9903A292FCB369
SHA-512:	7E2295BF9963E98AFE7916DFEE20EBE7F9BF2515AB386834A58D8F4ECB8A741217A56F685F818EC078BC3AA441C0F1A71AC45C1A24B9E2D392301DE11093AFA2
Malicious:	false
Reputation:	low
URL:	http://imp.impdelivery.xyz/
Preview:	Unsupported request type

Total Packets: 108
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2023 23:26:47.033561945 CET	49678	443	192.168.2.4	104.46.162.224
Nov 27, 2023 23:26:47.564775944 CET	49675	443	192.168.2.4	173.222.162.32
Nov 27, 2023 23:26:51.656161070 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:51.656205893 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:51.656263113 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:51.656472921 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:51.656501055 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:51.656562090 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:51.657068968 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:51.657085896 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:51.657409906 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:51.657428980 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:51.870275974 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:51.870285988 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:51.870548964 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:51.870568037 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:51.870837927 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:51.870866060 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:51.871150970 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:51.871223927 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:51.871511936 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:51.871592999 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:51.871660948 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:51.871717930 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:51.872450113 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:51.872502089 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:51.872703075 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:51.872713089 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:51.872910976 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:51.872965097 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:51.873039007 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:51.873049021 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:51.922605991 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:51.922681093 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:52.076570988 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:52.076698065 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:52.076770067 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:52.077490091 CET	49730	443	192.168.2.4	142.251.167.102
Nov 27, 2023 23:26:52.077513933 CET	443	49730	142.251.167.102	192.168.2.4
Nov 27, 2023 23:26:52.086808920 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:52.086919069 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:52.086972952 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:52.088610888 CET	49731	443	192.168.2.4	172.253.122.84
Nov 27, 2023 23:26:52.088627100 CET	443	49731	172.253.122.84	192.168.2.4
Nov 27, 2023 23:26:53.224235058 CET	49734	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:26:53.224852085 CET	49735	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:26:53.324383020 CET	80	49734	146.190.184.242	192.168.2.4
Nov 27, 2023 23:26:53.324506998 CET	49734	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:26:53.324707985 CET	49734	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:26:53.326515913 CET	80	49735	146.190.184.242	192.168.2.4
Nov 27, 2023 23:26:53.326601028 CET	49735	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:26:53.423928022 CET	80	49734	146.190.184.242	192.168.2.4
Nov 27, 2023 23:26:53.426024914 CET	80	49734	146.190.184.242	192.168.2.4
Nov 27, 2023 23:26:53.460671902 CET	49734	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:26:53.562880993 CET	80	49734	146.190.184.242	192.168.2.4
Nov 27, 2023 23:26:53.611315012 CET	49734	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:26:55.849315882 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:26:55.849356890 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:26:55.849416971 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:26:55.850652933 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:26:55.850672007 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:26:56.050647974 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:26:56.051013947 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:26:56.051043987 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:26:56.051785946 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:26:56.051872015 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:26:56.053034067 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:26:56.053091049 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:26:56.094996929 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:26:56.095019102 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:26:56.110851049 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.110874891 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.110949039 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.113398075 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.113411903 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.141860008 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:26:56.311047077 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.311181068 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.314635038 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.314642906 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.314821959 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.360630035 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.385209084 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.425257921 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.804377079 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.804477930 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.804661036 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.804661036 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.806432962 CET	49739	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.806471109 CET	443	49739	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.836357117 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.836390972 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:56.836559057 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.837515116 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:56.837529898 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:57.029373884 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:57.029635906 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:57.030873060 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:57.030883074 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:57.031063080 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:57.032820940 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:57.073275089 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:57.173041105 CET	49675	443	192.168.2.4	173.222.162.32
Nov 27, 2023 23:26:57.216090918 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:57.216135025 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:57.216183901 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:57.217650890 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:57.217664957 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:26:57.217705011 CET	49740	443	192.168.2.4	23.222.194.90
Nov 27, 2023 23:26:57.217709064 CET	443	49740	23.222.194.90	192.168.2.4
Nov 27, 2023 23:27:06.055896044 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:06.055969000 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:06.056052923 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:27:07.667081118 CET	49738	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:27:07.667119026 CET	443	49738	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:09.042898893 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.042933941 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.043024063 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.044855118 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.044867992 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.352170944 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.365256071 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.370537043 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.372831106 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.372839928 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.373019934 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.414791107 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.781487942 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.829261065 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.978303909 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.978331089 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.978337049 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.978384972 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.978416920 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.978518009 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.978518009 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:09.978533983 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.978540897 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:09.978604078 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:10.210408926 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:10.210408926 CET	49741	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:10.210436106 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:10.210449934 CET	443	49741	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:38.329117060 CET	49735	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:27:38.430557013 CET	80	49735	146.190.184.242	192.168.2.4
Nov 27, 2023 23:27:38.563488007 CET	49734	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:27:38.662807941 CET	80	49734	146.190.184.242	192.168.2.4
Nov 27, 2023 23:27:46.618217945 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:46.618290901 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:46.618371964 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:46.619174957 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:46.619193077 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:46.925360918 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:46.925550938 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:46.931143999 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:46.931153059 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:46.931337118 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:46.951227903 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:46.993273973 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:47.218993902 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:47.219018936 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:47.219033003 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:47.219118118 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:47.219146013 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:47.219161987 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:47.219223976 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:47.229815006 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:47.229829073 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:47.229856968 CET	49747	443	192.168.2.4	20.12.23.50
Nov 27, 2023 23:27:47.229862928 CET	443	49747	20.12.23.50	192.168.2.4
Nov 27, 2023 23:27:53.412965059 CET	80	49735	146.190.184.242	192.168.2.4
Nov 27, 2023 23:27:53.413264036 CET	49735	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:27:53.675163984 CET	49735	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:27:53.776465893 CET	80	49735	146.190.184.242	192.168.2.4
Nov 27, 2023 23:27:55.773425102 CET	49749	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:27:55.773463964 CET	443	49749	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:55.773585081 CET	49749	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:27:55.774359941 CET	49749	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:27:55.774374008 CET	443	49749	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:55.967195034 CET	443	49749	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:55.967654943 CET	49749	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:27:55.967678070 CET	443	49749	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:55.968012094 CET	443	49749	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:55.968405008 CET	49749	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:27:55.968466043 CET	443	49749	172.253.63.103	192.168.2.4
Nov 27, 2023 23:27:56.016971111 CET	49749	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:27:59.574623108 CET	80	49734	146.190.184.242	192.168.2.4
Nov 27, 2023 23:27:59.574707985 CET	49734	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:27:59.675137997 CET	49734	80	192.168.2.4	146.190.184.242
Nov 27, 2023 23:27:59.777307034 CET	80	49734	146.190.184.242	192.168.2.4
Nov 27, 2023 23:28:05.986263990 CET	49723	80	192.168.2.4	8.252.64.126
Nov 27, 2023 23:28:05.986265898 CET	49724	80	192.168.2.4	8.252.64.126
Nov 27, 2023 23:28:06.003756046 CET	443	49749	172.253.63.103	192.168.2.4
Nov 27, 2023 23:28:06.003849030 CET	443	49749	172.253.63.103	192.168.2.4
Nov 27, 2023 23:28:06.004013062 CET	49749	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:28:06.080097914 CET	80	49724	8.252.64.126	192.168.2.4
Nov 27, 2023 23:28:06.080332994 CET	49724	80	192.168.2.4	8.252.64.126
Nov 27, 2023 23:28:06.081903934 CET	80	49723	8.252.64.126	192.168.2.4
Nov 27, 2023 23:28:06.081969023 CET	49723	80	192.168.2.4	8.252.64.126
Nov 27, 2023 23:28:07.675112009 CET	49749	443	192.168.2.4	172.253.63.103
Nov 27, 2023 23:28:07.675139904 CET	443	49749	172.253.63.103	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2023 23:26:51.529736042 CET	64070	53	192.168.2.4	1.1.1.1
Nov 27, 2023 23:26:51.529882908 CET	60272	53	192.168.2.4	1.1.1.1
Nov 27, 2023 23:26:51.530203104 CET	51789	53	192.168.2.4	1.1.1.1
Nov 27, 2023 23:26:51.530443907 CET	65382	53	192.168.2.4	1.1.1.1
Nov 27, 2023 23:26:51.561340094 CET	53	49327	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:51.653467894 CET	53	64070	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:51.654846907 CET	53	60272	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:51.654861927 CET	53	51789	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:51.655210018 CET	53	65382	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:52.271603107 CET	53	50427	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:53.096839905 CET	52081	53	192.168.2.4	1.1.1.1
Nov 27, 2023 23:26:53.097078085 CET	53301	53	192.168.2.4	1.1.1.1
Nov 27, 2023 23:26:53.222683907 CET	53	53301	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:53.223524094 CET	53	52081	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:55.722219944 CET	56842	53	192.168.2.4	1.1.1.1
Nov 27, 2023 23:26:55.722340107 CET	63022	53	192.168.2.4	1.1.1.1
Nov 27, 2023 23:26:55.846071959 CET	53	63022	1.1.1.1	192.168.2.4
Nov 27, 2023 23:26:55.847783089 CET	53	56842	1.1.1.1	192.168.2.4
Nov 27, 2023 23:27:09.309036016 CET	53	54518	1.1.1.1	192.168.2.4
Nov 27, 2023 23:27:17.554207087 CET	138	138	192.168.2.4	192.168.2.255
Nov 27, 2023 23:27:27.988565922 CET	53	50313	1.1.1.1	192.168.2.4
Nov 27, 2023 23:27:50.630157948 CET	53	52516	1.1.1.1	192.168.2.4
Nov 27, 2023 23:27:51.334835052 CET	53	54532	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 27, 2023 23:26:51.529736042 CET	192.168.2.4	1.1.1.1	0x581d	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.529882908 CET	192.168.2.4	1.1.1.1	0xca4b	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Nov 27, 2023 23:26:51.530203104 CET	192.168.2.4	1.1.1.1	0x6917	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.530443907 CET	192.168.2.4	1.1.1.1	0xd43d	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Nov 27, 2023 23:26:53.096839905 CET	192.168.2.4	1.1.1.1	0x212a	Standard query (0)	imp.impdelivery.xyz	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:53.097078085 CET	192.168.2.4	1.1.1.1	0x9a53	Standard query (0)	imp.impdelivery.xyz	65	IN (0x0001)	false
Nov 27, 2023 23:26:55.722219944 CET	192.168.2.4	1.1.1.1	0x88d9	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:55.722340107 CET	192.168.2.4	1.1.1.1	0x6162	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 27, 2023 23:26:51.653467894 CET	1.1.1.1	192.168.2.4	0x581d	No error (0)	accounts.google.com		172.253.122.84	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.654861927 CET	1.1.1.1	192.168.2.4	0x6917	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 27, 2023 23:26:51.654861927 CET	1.1.1.1	192.168.2.4	0x6917	No error (0)	clients.l.google.com		142.251.167.102	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.654861927 CET	1.1.1.1	192.168.2.4	0x6917	No error (0)	clients.l.google.com		142.251.167.100	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.654861927 CET	1.1.1.1	192.168.2.4	0x6917	No error (0)	clients.l.google.com		142.251.167.139	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.654861927 CET	1.1.1.1	192.168.2.4	0x6917	No error (0)	clients.l.google.com		142.251.167.101	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.654861927 CET	1.1.1.1	192.168.2.4	0x6917	No error (0)	clients.l.google.com		142.251.167.113	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.654861927 CET	1.1.1.1	192.168.2.4	0x6917	No error (0)	clients.l.google.com		142.251.167.138	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:51.655210018 CET	1.1.1.1	192.168.2.4	0xd43d	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 27, 2023 23:26:53.223524094 CET	1.1.1.1	192.168.2.4	0x212a	No error (0)	imp.impdelivery.xyz		146.190.184.242	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:55.846071959 CET	1.1.1.1	192.168.2.4	0x6162	No error (0)	www.google.com			65	IN (0x0001)	false
Nov 27, 2023 23:26:55.847783089 CET	1.1.1.1	192.168.2.4	0x88d9	No error (0)	www.google.com		172.253.63.103	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:55.847783089 CET	1.1.1.1	192.168.2.4	0x88d9	No error (0)	www.google.com		172.253.63.147	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:55.847783089 CET	1.1.1.1	192.168.2.4	0x88d9	No error (0)	www.google.com		172.253.63.106	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:55.847783089 CET	1.1.1.1	192.168.2.4	0x88d9	No error (0)	www.google.com		172.253.63.105	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:55.847783089 CET	1.1.1.1	192.168.2.4	0x88d9	No error (0)	www.google.com		172.253.63.104	A (IP address)	IN (0x0001)	false
Nov 27, 2023 23:26:55.847783089 CET	1.1.1.1	192.168.2.4	0x88d9	No error (0)	www.google.com		172.253.63.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

fs.microsoft.com

slscr.update.microsoft.com

imp.impdelivery.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	146.190.184.242	80	5848	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2023 23:26:53.324707985 CET	488	OUT	GET / HTTP/1.1 Host: imp.impdelivery.xyz Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Nov 27, 2023 23:26:53.426024914 CET	226	IN	HTTP/1.1 400 Bad Request server: nginx/1.24.0 date: Mon, 27 Nov 2023 22:26:53 GMT content-type: text/plain; charset=utf-8 content-length: 24 Data Raw: 55 6e 73 75 70 70 6f 72 74 65 64 20 72 65 71 75 65 73 74 20 74 79 70 65 Data Ascii: Unsupported request type
Nov 27, 2023 23:26:53.460671902 CET	436	OUT	GET /favicon.ico HTTP/1.1 Host: imp.impdelivery.xyz Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://imp.impdelivery.xyz/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Nov 27, 2023 23:26:53.562880993 CET	289	IN	HTTP/1.1 404 Not Found server: nginx/1.24.0 date: Mon, 27 Nov 2023 22:26:53 GMT content-type: application/json; charset=utf-8 content-length: 83 Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 52 6f 75 74 65 20 47 45 54 3a 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 22 65 72 72 6f 72 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 7d Data Ascii: {"message":"Route GET:/favicon.ico not found","error":"Not Found","statusCode":404}
Nov 27, 2023 23:27:38.563488007 CET	60	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	146.190.184.242	80	5848	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2023 23:27:38.329117060 CET	60	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.253.122.84	443	5848	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2023-11-27 22:26:51 UTC	680	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk
2023-11-27 22:26:51 UTC	1	OUT	Data Raw: 20 Data Ascii:
2023-11-27 22:26:52 UTC	1627	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 41 63 63 65 73 73 2d 43 6f 6e 74 72 6f 6c 2d 41 6c 6c 6f 77 2d 4f 72 69 67 69 6e 3a 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a 41 63 63 65 73 73 2d 43 6f 6e 74 72 6f 6c 2d 41 6c 6c 6f 77 2d 43 72 65 64 65 6e 74 69 61 6c 73 3a 20 74 72 75 65 0d 0a 58 2d 43 6f 6e 74 65 6e 74 2d 54 79 70 65 2d 4f 70 74 69 6f 6e 73 3a 20 6e 6f 73 6e 69 66 66 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 65 0d 0a 50 72 Data Ascii: HTTP/1.1 200 OKContent-Type: application/json; charset=utf-8Access-Control-Allow-Origin: https://www.google.comAccess-Control-Allow-Credentials: trueX-Content-Type-Options: nosniffCache-Control: no-cache, no-store, max-age=0, must-revalidatePr
2023-11-27 22:26:52 UTC	23	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-11-27 22:26:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49730	142.251.167.102	443	5848	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2023-11-27 22:26:51 UTC	752	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.132 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-11-27 22:26:52 UTC	732	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 73 63 72 69 70 74 2d 73 72 63 20 27 72 65 70 6f 72 74 2d 73 61 6d 70 6c 65 27 20 27 6e 6f 6e 63 65 2d 53 43 4d 46 38 68 66 76 34 6c 4c 52 30 6a 49 6a 37 64 74 73 71 77 27 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 20 27 73 74 72 69 63 74 2d 64 79 6e 61 6d 69 63 27 20 68 74 74 70 73 3a 20 68 74 74 70 3a 3b 6f 62 6a 65 63 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 72 65 70 6f 72 74 2d 75 72 69 20 68 74 74 70 73 3a 2f 2f 63 73 70 2e 77 69 74 68 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 73 70 2f 63 6c 69 65 6e 74 75 70 64 61 74 65 2d 61 75 73 2f 31 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c Data Ascii: HTTP/1.1 200 OKContent-Security-Policy: script-src 'report-sample' 'nonce-SCMF8hfv4lLR0jIj7dtsqw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1Cache-Control
2023-11-27 22:26:52 UTC	520	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 37 34 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 35 32 30 31 32 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6174" elapsed_seconds="52012"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-11-27 22:26:52 UTC	200	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-11-27 22:26:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	23.222.194.90	443

Timestamp	Bytes transferred	Direction	Data
2023-11-27 22:26:56 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-11-27 22:26:56 UTC	435	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 41 70 69 56 65 72 73 69 6f 6e 3a 20 44 69 73 74 72 69 62 75 74 65 20 31 2e 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 6e 66 69 67 2e 6a 73 6f 6e 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 55 54 46 2d 38 27 27 63 6f 6e 66 69 67 2e 6a 73 6f 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 45 54 61 67 3a 20 22 30 78 36 34 36 36 37 46 37 30 37 46 46 30 37 44 36 32 42 37 33 33 44 42 43 42 37 39 45 46 45 33 38 35 35 45 36 38 38 36 43 39 39 37 35 42 30 43 30 42 34 36 37 44 34 36 32 33 31 42 33 46 41 35 45 37 22 0d 0a 4c 61 73 74 2d 4d 6f 64 69 Data Ascii: HTTP/1.1 200 OKApiVersion: Distribute 1.1Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.jsonContent-Type: application/octet-streamETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"Last-Modi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	23.222.194.90	443

Timestamp	Bytes transferred	Direction	Data
2023-11-27 22:26:57 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-11-27 22:26:57 UTC	773	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 54 75 65 2c 20 31 36 20 4d 61 79 20 32 30 31 37 20 32 32 3a 35 38 3a 30 30 20 47 4d 54 0d 0a 45 54 61 67 3a 20 22 30 78 36 34 36 36 37 46 37 30 37 46 46 30 37 44 36 32 42 37 33 33 44 42 43 42 37 39 45 46 45 33 38 35 35 45 36 38 38 36 43 39 39 37 35 42 30 43 30 42 34 36 37 44 34 36 32 33 31 42 33 46 41 35 45 37 22 0d 0a 41 70 69 56 65 72 73 69 6f 6e 3a 20 44 69 73 74 72 69 62 75 74 65 20 31 2e 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 6e 66 69 67 2e 6a 73 6f 6e 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 55 54 46 2d 38 27 27 63 6f 6e 66 69 67 2e 6a 73 6f 6e 0d 0a 58 2d 43 Data Ascii: HTTP/1.1 200 OKLast-Modified: Tue, 16 May 2017 22:58:00 GMTETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"ApiVersion: Distribute 1.1Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.jsonX-C
2023-11-27 22:26:57 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2023-11-27 22:27:09 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9vO2xXtACaUAyzp&MD=cOSvaY5h HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-27 22:27:09 UTC	560	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 45 78 70 69 72 65 73 3a 20 2d 31 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 4d 6f 6e 2c 20 30 31 20 4a 61 6e 20 30 30 30 31 20 30 30 3a 30 30 3a 30 30 20 47 4d 54 0d 0a 45 54 61 67 3a 20 22 58 41 6f 70 61 7a 56 30 30 58 44 57 6e 4a 43 77 6b 6d 45 57 52 76 36 4a 6b 62 6a 52 41 39 51 53 53 5a 32 2b 65 2f 33 4d 7a 45 6b 3d 5f 32 38 38 30 22 0d 0a 4d 53 2d 43 6f 72 72 65 6c 61 74 69 6f 6e 49 64 3a 20 35 65 62 32 37 31 31 64 2d 38 33 35 34 2d 34 39 66 30 2d Data Ascii: HTTP/1.1 200 OKCache-Control: no-cachePragma: no-cacheContent-Type: application/octet-streamExpires: -1Last-Modified: Mon, 01 Jan 0001 00:00:00 GMTETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"MS-CorrelationId: 5eb2711d-8354-49f0-
2023-11-27 22:27:09 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2023-11-27 22:27:09 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2023-11-27 22:27:46 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9vO2xXtACaUAyzp&MD=cOSvaY5h HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-27 22:27:47 UTC	560	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 45 78 70 69 72 65 73 3a 20 2d 31 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 4d 6f 6e 2c 20 30 31 20 4a 61 6e 20 30 30 30 31 20 30 30 3a 30 30 3a 30 30 20 47 4d 54 0d 0a 45 54 61 67 3a 20 22 4d 78 31 52 6f 4a 48 2f 71 45 77 70 57 66 4b 6c 6c 78 37 73 62 73 6c 32 38 41 75 45 52 7a 35 49 59 64 63 73 76 74 54 4a 63 67 4d 3d 5f 32 31 36 30 22 0d 0a 4d 53 2d 43 6f 72 72 65 6c 61 74 69 6f 6e 49 64 3a 20 33 62 30 35 31 31 35 33 2d 38 31 37 35 2d 34 39 65 63 2d Data Ascii: HTTP/1.1 200 OKCache-Control: no-cachePragma: no-cacheContent-Type: application/octet-streamExpires: -1Last-Modified: Mon, 01 Jan 0001 00:00:00 GMTETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160"MS-CorrelationId: 3b051153-8175-49ec-
2023-11-27 22:27:47 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2023-11-27 22:27:47 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	23:26:49
Start date:	27/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:26:50
Start date:	27/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2224,i,1250223647325735963,690844727406367763,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	23:26:52
Start date:	27/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "http://imp.impdelivery.xyz
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9vO2xXtACaUAyzp&MD=cOSvaY5h HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9vO2xXtACaUAyzp&MD=cOSvaY5h HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: imp.impdelivery.xyzConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: imp.impdelivery.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://imp.impdelivery.xyz/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: imp.impdelivery.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: imp.impdelivery.xyz

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.222.194.90
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 8.252.64.126
Source: unknown	TCP traffic detected without corresponding DNS query: 8.252.64.126
Source: unknown	TCP traffic detected without corresponding DNS query: 8.252.64.126
Source: unknown	TCP traffic detected without corresponding DNS query: 8.252.64.126
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://imp.impdelivery.xyz

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 40

Chrome Cache Entry: 41

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 2416, Parent PID: 6024

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

Process Activities

Process Created

Windows Analysis Report
http://imp.impdelivery.xyz