Edit tour

Windows Analysis Report
https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4 ...

Overview

General Information

Sample URL:	https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_
Analysis ID:	1377347
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates files inside the system directory

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6504 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6688 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2212,i,1756867541871884215,12052085162384340501,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3568 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20... MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Boot Survival

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 96.7.158.101:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.7.158.101:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20... HTTP/1.1Host: s.pemsrv.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: s.pemsrv.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-mobile: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20...Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 96.7.158.101:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.7.158.101:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_6504_1566960537

Jump to behavior

Source: classification engine

Classification label: clean1.win@16/6@8/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2212,i,1756867541871884215,12052085162384340501,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20...
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2212,i,1756867541871884215,12052085162384340501,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20...	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label	Link
https://s.pemsrv.com/favicon.ico	0%	Avira URL Cloud	safe
https://s.pemsrv.com/favicon.ico	0%	Virustotal		Browse

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	173.194.202.84	true	false	high
www.google.com	142.251.215.228	true	false	high
clients.l.google.com	142.250.69.206	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown
tk6if76q.ab1n.net	68.169.106.40	true	false	unknown
clients2.google.com	unknown	unknown	false	high
s.pemsrv.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s.pemsrv.com/favicon.ico	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false		high
https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20...	false		unknown
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
173.194.202.84	accounts.google.com	United States	15169	GOOGLEUS	false
142.251.215.228	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.69.206	clients.l.google.com	United States	15169	GOOGLEUS	false
68.169.106.40	tk6if76q.ab1n.net	United States	30602	ISPRIMEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1377347
Start date and time:	2024-01-19 11:36:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4 ...
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@16/6@8/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.69.195, 34.104.35.123, 40.68.123.157, 23.32.75.16, 23.32.75.29, 192.229.211.108, 52.165.164.15, 142.251.211.227, 72.21.81.240
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, edgedl.me.gvt1.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, update.googleapis.com, hlb.apr-52dd2-0.edgecastdns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 19 09:36:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9756958553269297
Encrypted:	false
SSDEEP:	48:8fdoTMw7HWcidAKZdA19ehwiZUklqehBy+3:8yP1ey
MD5:	520B911FA0D1109D290D84F09D7412B3
SHA1:	F0578B7C60C65BDF8F2BAF2EB4ED116838F2C23F
SHA-256:	0FCE4D34B9519F2C8D47F29656C279A4A45F4079BD64F1BD0196620C115DE290
SHA-512:	EDFC8F46292BB7FEF1A4998CC85D40E6A180A318C9160801CF041814EB5C646A5C572A705AF3DF7AD029C09E8A2BF08D1D75CADFDB0D4635F7913EF56985A085
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....E=h.J..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I3X.T....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3X.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3X.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3X.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3X.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Je.X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 19 09:36:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9883820850028044
Encrypted:	false
SSDEEP:	48:8hdoTMw7HWcidAKZdA1weh/iZUkAQkqehOy+2:8MPv9Qny
MD5:	9C3741D86368964F5D9D3EF2166DE910
SHA1:	6001C3744F5623AAD774E629FA31EFDA9A736AAC
SHA-256:	173E351AAE1987A692CB61B9CD6CEDD279E950257497C7E99294F797500A85B6
SHA-512:	2F9FFD6CC85052277191773B8A6070056B92B2AD4AF2BAA4D00B72D9A45335B360765C5E9402F17A62B0D07254244FE369E5000C5441CEE04FB7DA6D2D3A29A5
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....ta2h.J..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I3X.T....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3X.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3X.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3X.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3X.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Je.X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.003829548939266
Encrypted:	false
SSDEEP:	48:8xJdoTMwsHWcidAKZdA14tseh7sFiZUkmgqeh7scy+BX:8x0PGnay
MD5:	63C5BBEF81FF85D327CA546D0C9FA883
SHA1:	BEB2A92F4F51EE167D3D6F779FB846B53872C3E0
SHA-256:	22F4148443EC99A388DF7EE1337A6D40D1075CC8547EECCF33D3328BBC1EC288
SHA-512:	67B9FA37CBFD7769E1E2604B0A513FACABD10DD6DE94680C9AF413C3A6488AA40C987C117943843CB5DCE4AF53C5095759957177554871A261C152DA9B33CC00
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I3X.T....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3X.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3X.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3X.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Je.X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 19 09:36:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9917291256417804
Encrypted:	false
SSDEEP:	48:88doTMw7HWcidAKZdA1vehDiZUkwqehCy+R:8HPMEy
MD5:	D3C03BD4095CDCDEE748705F44CA9077
SHA1:	E9195D7911D1CE553C0EE546EDD897524CEA6590
SHA-256:	6C8E846B387BA2025555BB3AA93A0C817A04708CAB5D30990FB55BD4771F1ABF
SHA-512:	3B6A943DA177A7C71C98EE3144FD3023DD761B6C7671BDB6E2EAFE9A8DC2672344DDA3974274A46FF4C0B309F737D4BC32583D2EE1DA86C326DF02A16605C813
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......,h.J..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I3X.T....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3X.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3X.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3X.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3X.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Je.X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 19 09:36:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9800079443940923
Encrypted:	false
SSDEEP:	48:84doTMw7HWcidAKZdA1hehBiZUk1W1qehoy+C:8zP89Iy
MD5:	8BF07E058FC6D9D79E60703D50E7C06B
SHA1:	8CD7806E7B4C384A08A4E317B088494C1AE0E56F
SHA-256:	D94B7F757CC3617CA8C9FB45103B82F4DC76A01400AC3C5A9961A2933451FAFB
SHA-512:	448FD9223424AB318E035EFCC7F90331628F2FDA159FFDD1CEAF38F60E017A8AEF7C96C31DE8E0D2EFE84289219A147D1B05129962E14237E9E6981ED359E2F9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....>.7h.J..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I3X.T....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3X.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3X.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3X.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3X.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Je.X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 19 09:36:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9908214577506196
Encrypted:	false
SSDEEP:	48:8OdoTMw7HWcidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbay+yT+:8hPST/TbxWOvTbay7T
MD5:	C7F05C6BEFDABBEEC2A8A367F39DF1FA
SHA1:	5C2C1863ACEE98AC888E029EA82155B8DA93E31A
SHA-256:	982AEB0BB76775CF8B908F9FD0A73C0068BE697F2D8A1E759ECDDB5E7B77713D
SHA-512:	E8F2A10FDFE09587EE8923EA8025DCE38F656F8449C4E2BE84CD653990A67CA75252A4C67F79B5F79CA62CD85E5EBD3D592E233E439B196C13093A4CAC25524B
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......h.J..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I3X.T....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V3X.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V3X.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V3X.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V3X.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Je.X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Total Packets: 107
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2024 11:36:43.311862946 CET	49674	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:36:43.315639973 CET	49675	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:36:43.405596018 CET	49673	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:36:48.148066998 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.148106098 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.148168087 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.148721933 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.148730993 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.148788929 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.149039030 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.149056911 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.149207115 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.149219990 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.484771967 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.484932899 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.484971046 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.485387087 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.485522985 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.486387014 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.486447096 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.487363100 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.487438917 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.487481117 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.490236998 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.490436077 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.490447044 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.491889954 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.491951942 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.492914915 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.492997885 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.493068933 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.493077993 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.529920101 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.593247890 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.593247890 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.593271971 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.796360970 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.799180984 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.799302101 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.799643993 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.799860954 CET	49705	443	192.168.2.5	142.250.69.206
Jan 19, 2024 11:36:48.799882889 CET	443	49705	142.250.69.206	192.168.2.5
Jan 19, 2024 11:36:48.814673901 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.814785957 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.814816952 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.815016985 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:48.815143108 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.815212965 CET	49706	443	192.168.2.5	173.194.202.84
Jan 19, 2024 11:36:48.815227985 CET	443	49706	173.194.202.84	192.168.2.5
Jan 19, 2024 11:36:50.098802090 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.098860979 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.098937035 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.099869013 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.099926949 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.099984884 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.100178957 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.100195885 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.100511074 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.100547075 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.562808990 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.563106060 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.563126087 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.564110041 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.564198017 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.565484047 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.565546989 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.565740108 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.565805912 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.565810919 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.566040993 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.566070080 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.567485094 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.567559004 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.568445921 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.568511009 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.610243082 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.610279083 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.610316038 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.658512115 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:50.994708061 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.994808912 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:50.994864941 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:51.007553101 CET	49710	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:51.007569075 CET	443	49710	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:51.049802065 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:51.089900017 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:51.487759113 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:51.487993002 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:51.488070965 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:51.489430904 CET	49709	443	192.168.2.5	68.169.106.40
Jan 19, 2024 11:36:51.489459038 CET	443	49709	68.169.106.40	192.168.2.5
Jan 19, 2024 11:36:51.986305952 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:36:51.986378908 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:36:51.986443043 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:36:51.987914085 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:36:51.987950087 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:36:52.322959900 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:36:52.336211920 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:36:52.336252928 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:36:52.339152098 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:36:52.339261055 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:36:52.811897993 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:36:52.812103987 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:36:52.859333992 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:36:52.859369040 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:36:52.872814894 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:52.872869015 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:52.872932911 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:52.876857042 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:52.876893997 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:52.906147003 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:36:52.921777010 CET	49675	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:36:52.921782017 CET	49674	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:36:53.015537977 CET	49673	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:36:53.196178913 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.196294069 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.209538937 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.209564924 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.210025072 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.265531063 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.388655901 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.429944992 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.541811943 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.542001963 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.542076111 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.542411089 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.542429924 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.542485952 CET	49714	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.542491913 CET	443	49714	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.608795881 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.608846903 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.608925104 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.611237049 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.611253023 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.925265074 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.925353050 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.929208040 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.929224014 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.929560900 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:53.931531906 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:53.973913908 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:54.228539944 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:54.228701115 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:54.229326010 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:54.230093002 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:54.230114937 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:54.230130911 CET	49715	443	192.168.2.5	96.7.158.101
Jan 19, 2024 11:36:54.230139017 CET	443	49715	96.7.158.101	192.168.2.5
Jan 19, 2024 11:36:54.426204920 CET	443	49703	23.1.237.91	192.168.2.5
Jan 19, 2024 11:36:54.426320076 CET	49703	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:02.304968119 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:02.305030107 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:02.305217028 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:37:02.452893019 CET	49713	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:37:02.452915907 CET	443	49713	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:05.336697102 CET	49703	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.336859941 CET	49703	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.337333918 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.337382078 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:05.337452888 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.339421988 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.339436054 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:05.517244101 CET	443	49703	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:05.517301083 CET	443	49703	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:05.724647999 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:05.724752903 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.891032934 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.891069889 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:05.892185926 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:05.892261028 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.907793045 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.907871008 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:05.908104897 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:05.908117056 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:06.357358932 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:06.357831001 CET	443	49720	23.1.237.91	192.168.2.5
Jan 19, 2024 11:37:06.357971907 CET	49720	443	192.168.2.5	23.1.237.91
Jan 19, 2024 11:37:51.813361883 CET	49726	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:37:51.813405037 CET	443	49726	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:51.813507080 CET	49726	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:37:51.813918114 CET	49726	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:37:51.813931942 CET	443	49726	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:52.128796101 CET	443	49726	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:52.129154921 CET	49726	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:37:52.129188061 CET	443	49726	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:52.129503965 CET	443	49726	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:52.129841089 CET	49726	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:37:52.129905939 CET	443	49726	142.251.215.228	192.168.2.5
Jan 19, 2024 11:37:52.170845985 CET	49726	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:38:02.129477024 CET	443	49726	142.251.215.228	192.168.2.5
Jan 19, 2024 11:38:02.129640102 CET	443	49726	142.251.215.228	192.168.2.5
Jan 19, 2024 11:38:02.129709959 CET	49726	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:38:02.590497971 CET	49726	443	192.168.2.5	142.251.215.228
Jan 19, 2024 11:38:02.590522051 CET	443	49726	142.251.215.228	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2024 11:36:47.993050098 CET	62961	53	192.168.2.5	1.1.1.1
Jan 19, 2024 11:36:47.993423939 CET	58365	53	192.168.2.5	1.1.1.1
Jan 19, 2024 11:36:47.993870020 CET	50230	53	192.168.2.5	1.1.1.1
Jan 19, 2024 11:36:47.994060040 CET	63411	53	192.168.2.5	1.1.1.1
Jan 19, 2024 11:36:48.146493912 CET	53	62961	1.1.1.1	192.168.2.5
Jan 19, 2024 11:36:48.147114992 CET	53	50230	1.1.1.1	192.168.2.5
Jan 19, 2024 11:36:48.147156000 CET	53	63411	1.1.1.1	192.168.2.5
Jan 19, 2024 11:36:48.147334099 CET	53	58365	1.1.1.1	192.168.2.5
Jan 19, 2024 11:36:48.997407913 CET	53	65390	1.1.1.1	192.168.2.5
Jan 19, 2024 11:36:49.927194118 CET	63896	53	192.168.2.5	1.1.1.1
Jan 19, 2024 11:36:49.927459955 CET	58941	53	192.168.2.5	1.1.1.1
Jan 19, 2024 11:36:50.079660892 CET	53	63896	1.1.1.1	192.168.2.5
Jan 19, 2024 11:36:50.091228008 CET	53	58941	1.1.1.1	192.168.2.5
Jan 19, 2024 11:36:51.801947117 CET	53217	53	192.168.2.5	1.1.1.1
Jan 19, 2024 11:36:51.802630901 CET	54028	53	192.168.2.5	1.1.1.1
Jan 19, 2024 11:36:51.955426931 CET	53	53217	1.1.1.1	192.168.2.5
Jan 19, 2024 11:36:51.956568003 CET	53	54028	1.1.1.1	192.168.2.5
Jan 19, 2024 11:37:06.827214003 CET	53	56296	1.1.1.1	192.168.2.5
Jan 19, 2024 11:37:25.826873064 CET	53	57385	1.1.1.1	192.168.2.5
Jan 19, 2024 11:37:47.227317095 CET	53	54518	1.1.1.1	192.168.2.5
Jan 19, 2024 11:37:48.570976973 CET	53	57874	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 19, 2024 11:36:47.993050098 CET	192.168.2.5	1.1.1.1	0xf218	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:47.993423939 CET	192.168.2.5	1.1.1.1	0x6ee	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Jan 19, 2024 11:36:47.993870020 CET	192.168.2.5	1.1.1.1	0xbde7	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:47.994060040 CET	192.168.2.5	1.1.1.1	0xeb97	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Jan 19, 2024 11:36:49.927194118 CET	192.168.2.5	1.1.1.1	0x355f	Standard query (0)	s.pemsrv.com	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:49.927459955 CET	192.168.2.5	1.1.1.1	0xe861	Standard query (0)	s.pemsrv.com	65	IN (0x0001)	false
Jan 19, 2024 11:36:51.801947117 CET	192.168.2.5	1.1.1.1	0x6e6d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:51.802630901 CET	192.168.2.5	1.1.1.1	0xe9a5	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 19, 2024 11:36:48.146493912 CET	1.1.1.1	192.168.2.5	0xf218	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2024 11:36:48.146493912 CET	1.1.1.1	192.168.2.5	0xf218	No error (0)	clients.l.google.com		142.250.69.206	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:48.147114992 CET	1.1.1.1	192.168.2.5	0xbde7	No error (0)	accounts.google.com		173.194.202.84	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:48.147334099 CET	1.1.1.1	192.168.2.5	0x6ee	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2024 11:36:50.079660892 CET	1.1.1.1	192.168.2.5	0x355f	No error (0)	s.pemsrv.com	tk6if76q.ab1n.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2024 11:36:50.079660892 CET	1.1.1.1	192.168.2.5	0x355f	No error (0)	tk6if76q.ab1n.net		68.169.106.40	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:50.079660892 CET	1.1.1.1	192.168.2.5	0x355f	No error (0)	tk6if76q.ab1n.net		68.169.106.41	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:50.091228008 CET	1.1.1.1	192.168.2.5	0xe861	No error (0)	s.pemsrv.com	tk6if76q.ab1n.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2024 11:36:51.955426931 CET	1.1.1.1	192.168.2.5	0x6e6d	No error (0)	www.google.com		142.251.215.228	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:36:51.956568003 CET	1.1.1.1	192.168.2.5	0xe9a5	No error (0)	www.google.com			65	IN (0x0001)	false
Jan 19, 2024 11:37:04.826998949 CET	1.1.1.1	192.168.2.5	0xefd	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2024 11:37:04.826998949 CET	1.1.1.1	192.168.2.5	0xefd	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:37:19.064620972 CET	1.1.1.1	192.168.2.5	0xfbee	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2024 11:37:19.064620972 CET	1.1.1.1	192.168.2.5	0xfbee	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:37:41.030065060 CET	1.1.1.1	192.168.2.5	0xe812	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2024 11:37:41.030065060 CET	1.1.1.1	192.168.2.5	0xe812	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Jan 19, 2024 11:38:00.653621912 CET	1.1.1.1	192.168.2.5	0x4ae6	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2024 11:38:00.653621912 CET	1.1.1.1	192.168.2.5	0x4ae6	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

clients2.google.com

accounts.google.com

s.pemsrv.com

https:

www.bing.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	142.250.69.206	443	6688	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-19 10:36:48 UTC	752	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.132 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-01-19 10:36:48 UTC	731	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-Ha36ZNyAIoo-mbVhzIHcow' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 19 Jan 2024 10:36:48 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6227 X-Daystart: 9408 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-01-19 10:36:48 UTC	521	IN	Data Raw: 32 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 32 32 37 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 39 34 30 38 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 20 Data Ascii: 2c8<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6227" elapsed_seconds="9408"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2024-01-19 10:36:48 UTC	198	IN	Data Raw: 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 3f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2024-01-19 10:36:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	173.194.202.84	443	6688	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-19 10:36:48 UTC	680	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
2024-01-19 10:36:48 UTC	1	OUT	Data Raw: 20 Data Ascii:
2024-01-19 10:36:48 UTC	1627	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 19 Jan 2024 10:36:48 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-Vc4TPlpYLGlcsLIgZbf1HA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-01-19 10:36:48 UTC	23	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2024-01-19 10:36:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49710	68.169.106.40	443	6688	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-19 10:36:50 UTC	886	OUT	GET /click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20... HTTP/1.1 Host: s.pemsrv.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-01-19 10:36:50 UTC	354	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Jan 2024 10:36:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Accept-CH: Sec-CH-UA,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Mobile,Sec-CH-UA-Platform,Sec-CH-UA-Model,Sec-CH-UA-Mobile,Sec-CH-UA-Platform,Sec-CH-UA-Platform-Version X-Robots-Tag: noindex, follow
2024-01-19 10:36:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49709	68.169.106.40	443	6688	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-19 10:36:51 UTC	993	OUT	GET /favicon.ico HTTP/1.1 Host: s.pemsrv.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-model: "" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20... Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-01-19 10:36:51 UTC	294	IN	HTTP/1.1 204 No Content Server: nginx Date: Fri, 19 Jan 2024 10:36:51 GMT Connection: close Accept-CH: Sec-CH-UA,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Mobile,Sec-CH-UA-Platform,Sec-CH-UA-Model,Sec-CH-UA-Mobile,Sec-CH-UA-Platform,Sec-CH-UA-Platform-Version X-Robots-Tag: noindex, follow

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49714	96.7.158.101	443

Timestamp	Bytes transferred	Direction	Data
2024-01-19 10:36:53 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-01-19 10:36:53 UTC	495	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (sac/250E) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=174140 Date: Fri, 19 Jan 2024 10:36:53 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49715	96.7.158.101	443

Timestamp	Bytes transferred	Direction	Data
2024-01-19 10:36:53 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-01-19 10:36:54 UTC	535	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0gZGqYgAAAAALDuImPJT0QKVHnlugaXU1UERYMzFFREdFMDIxMgBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=174199 Date: Fri, 19 Jan 2024 10:36:54 GMT Content-Length: 55 Connection: close X-CID: 2
2024-01-19 10:36:54 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.5	49720	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-01-19 10:37:05 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2483 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1705660592787&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-01-19 10:37:05 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-01-19 10:37:05 UTC	2482	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-01-19 10:37:06 UTC	475	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: B7800A919BB64F46910AF16131DDB2D7 Ref B: PAOEDGE0516 Ref C: 2024-01-19T10:37:06Z Date: Fri, 19 Jan 2024 10:37:06 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1705660625.71c43f9

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	11:36:43
Start date:	19/01/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	11:36:45
Start date:	19/01/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2212,i,1756867541871884215,12052085162384340501,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:36:48
Start date:	19/01/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4%20...
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4 ...

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6504, Parent PID: 5408

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Windows Analysis Report
https://s.pemsrv.com/click.php?d=H4sIAAAAAAAAA01SyXKbQBD9FS4coXr24eilnINVkoNlTHRJDQPYKrOZxVJU_fEZkOSkmoKe183rRz8k46BBI5Mhw_dx7Aaf3fj0wV2HwyF8M_W.eQtMPlVjaNvawTrLIBMRCVgU6YBbwYMoM0Wgs4IUTFOpMu6zB2vqbp_77F6eJ_hUDvuxWCBf3SrNBKW.up_xdupt4fDSdNZc5siP4 ...