Edit tour

Windows Analysis Report
https://veryfast.io/downloading.html

Overview

General Information

Sample URL:	https://veryfast.io/downloading.html
Analysis ID:	1386348
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on shot match)

Creates files inside the system directory

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6300 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wget.exe (PID: 4120 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

chrome.exe (PID: 4204 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\downloading.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7212 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1984,i,5909537731496355094,4881547611905691764,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5416, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html" > cmdline.out 2>&1, ProcessId: 6300, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Phishing site detected (based on shot match)

Source: file:///C:/Users/user/Desktop/download/downloading.html

Matcher: Template: genphish matched

Source: file:///C:/Users/user/Desktop/download/downloading.html

HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49723 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 161.35.127.181:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.201.212.130:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.201.212.130:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49726 version: TLS 1.2

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49723 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.201.212.130
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: global traffic	HTTP traffic detected: GET /downloading.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: veryfast.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=WrNFT62LC5wGObZ&MD=9EXu2Hn+ HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=WrNFT62LC5wGObZ&MD=9EXu2Hn+ HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000009100CBCA17 HTTP/1.1Host: clients1.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br

Source: unknown

DNS traffic detected: queries for: veryfast.io

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

Source: wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	String found in binary or memory: http://stackoverflow.com/questions/17907445/how-to-detect-ie11
Source: wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	String found in binary or memory: https://embed.tawk.to/5912bdc164f23d19a89b17a5/default
Source: wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4iaVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4jaVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4kaVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4saVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4taVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4vaVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5OaVI
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5caVI
Source: wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	String found in binary or memory: https://s3.amazonaws.com/veryfast/download/nouac/Fast
Source: wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	String found in binary or memory: https://veryfast.io/download.php
Source: wget.exe, 00000002.00000002.2048283508.0000000000B90000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	String found in binary or memory: https://veryfast.io/downloading.html
Source: wget.exe, 00000002.00000003.2047545729.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048202012.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/downloading.html.
Source: wget.exe, 00000002.00000002.2048440423.0000000001320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/downloading.htmll
Source: wget.exe, 00000002.00000002.2048440423.0000000001320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/downloading.htmlp
Source: wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	String found in binary or memory: https://veryfast.io/installer/Fast
Source: wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	String found in binary or memory: https://veryfast.s3.amazonaws.com/download/2.172tu/SetupEngine.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 161.35.127.181:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.201.212.130:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.201.212.130:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49726 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_4204_1297541994

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: explorerframe.dll	Jump to behavior

Source: classification engine

Classification label: mal48.phis.win@18/12@9/8

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:120:WilError_03

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\downloading.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1984,i,5909537731496355094,4881547611905691764,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1984,i,5909537731496355094,4881547611905691764,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: wget.exe, 00000002.00000002.2048352517.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://veryfast.io/downloading.html" > cmdline.out 2>&1

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://veryfast.io/downloading.html	0%	Avira URL Cloud	safe
https://veryfast.io/downloading.html	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
file:///C:/Users/user/Desktop/download/downloading.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	172.217.215.84	true	false	high
veryfast.io	161.35.127.181	true	false	high
www.google.com	108.177.122.99	true	false	high
clients.l.google.com	142.250.105.101	true	false	high
clients1.google.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients1.google.com/tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000009100CBCA17	false		high
file:///C:/Users/user/Desktop/download/downloading.html	true	Avira URL Cloud: safe	low
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false		high
https://veryfast.io/downloading.html	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://s3.amazonaws.com/veryfast/download/nouac/Fast	wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	false	high
https://veryfast.s3.amazonaws.com/download/2.172tu/SetupEngine.exe	wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	false	high
https://veryfast.io/downloading.htmlp	wget.exe, 00000002.00000002.2048440423.0000000001320000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/downloading.html.	wget.exe, 00000002.00000003.2047545729.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048202012.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://embed.tawk.to/5912bdc164f23d19a89b17a5/default	wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	false	high
https://veryfast.io/downloading.htmll	wget.exe, 00000002.00000002.2048440423.0000000001320000.00000004.00000020.00020000.00000000.sdmp	false	high
https://veryfast.io/installer/Fast	wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	false	high
http://stackoverflow.com/questions/17907445/how-to-detect-ie11	wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	false	high
https://veryfast.io/download.php	wget.exe, 00000002.00000003.2047427088.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2047427088.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2048248068.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, downloading.html.2.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.105.102	unknown	United States	15169	GOOGLEUS	false
142.250.105.101	clients.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
161.35.127.181	veryfast.io	United States	14061	DIGITALOCEAN-ASNUS	false
172.217.215.84	accounts.google.com	United States	15169	GOOGLEUS	false
108.177.122.99	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1386348
Start date and time:	2024-02-04 15:31:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://veryfast.io/downloading.html
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.phis.win@18/12@9/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.215.94, 64.233.177.95, 108.177.122.94, 34.104.35.123, 23.47.204.76, 192.229.211.108, 74.125.138.94, 69.164.42.0
Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, ocsp.digicert.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, fonts.gstatic.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun Feb 4 13:32:35 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9676729737137806
Encrypted:	false
SSDEEP:	48:8CdfTXX/HfidAKZdA19ehwiZUklqehny+3:8GDZUy
MD5:	DFEA7E158C7DC20A8AB00F5C123596DE
SHA1:	949CD489D1EB55B9C80D61F9EA604B611D3AA44F
SHA-256:	4D88B55D009D9233E3BA8E489C4AF04A5F4D972D2C7B5102AF5EA4534C738787
SHA-512:	468B0D967936401D1AB921C152C13AB701FE55CCE6E5A9C128E7E0733DE1394A664480604AEC4BF912B79B6F7034C7E4C8920A951424ECAD24749C56B0FC1AD0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....s...vW..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDX.t....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDX.t....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDX.t....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDX.t..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDX.t...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun Feb 4 13:32:35 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.985366881457835
Encrypted:	false
SSDEEP:	48:80dfTXX/HfidAKZdA1weh/iZUkAQkqehEy+2:84DL9QZy
MD5:	3361A36B1D7351D59DC27DC076576A27
SHA1:	004B9CE6FDD4E7BD04BE1951C24A90B4FE8D95D6
SHA-256:	8B8B2529FF19ABBC374666A4BFFFC739D445BA0F0E4D28AE2B77F082068B1BCA
SHA-512:	8D73583CDE22B95B737ED018F0663FF1E054A110566683923DFCF90B0C1E17A00E2C998FC9E6027F8A52F215915361C12828998B97A31C807F085F47DC673558
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......vW..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDX.t....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDX.t....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDX.t....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDX.t..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDX.t...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	3.9950087209222973
Encrypted:	false
SSDEEP:	48:8xodfTXXsHfidAKZdA14tseh7sFiZUkmgqeh7smy+BX:8xsDun4y
MD5:	AD6D1FE060DF55C7398047FC15DF8086
SHA1:	A63A0D307F6155F4B80FCF131505640761158132
SHA-256:	0AF799372E8352A320F4D165772DDF171A8220D369E749D9705FFDCC3B57D36B
SHA-512:	8E508B16AC83304FB778BBB7C9BAE513FC7168DFB57275E910973A98E09944F87251419935F3AF80F6127B6860D0361668FCA8A5C83CFA7721C5922BDD4E68E6
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDX.t....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDX.t....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDX.t....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDX.t..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun Feb 4 13:32:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9823906785621044
Encrypted:	false
SSDEEP:	48:8rdfTXX/HfidAKZdA1vehDiZUkwqehgy+R:8tDIuy
MD5:	D1D556490CD7989F62D0029A3C3F59C0
SHA1:	19F5ABE93440E48189F93F892ADB51027269178B
SHA-256:	A5EEE387577EC495DD13F2801A0B19E5EF73EFB0997531B5535C6FEA0A9B56AD
SHA-512:	5FDD0E873FF030C6B0769B62D58B0B3DB6E60816445056483337CA6FC43BF2E0BACDA15525235A9F24F50200E47A84ADFFD0C7F38C9EA00CA5F4E63451761BEC
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....r..vW..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDX.t....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDX.t....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDX.t....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDX.t..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDX.t...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun Feb 4 13:32:35 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.971245081495478
Encrypted:	false
SSDEEP:	48:8fdfTXX/HfidAKZdA1hehBiZUk1W1qeh6y+C:8xDY9ay
MD5:	E0541ED0D66AB8A7C327B89AB5DE00EB
SHA1:	2C7C8963A51F4AEC9A8364DD51EF506927BE6B1F
SHA-256:	B9FC6AA9F43B213ED3924E22EF3093E81ADAD2E26C428504B324F3123317B65E
SHA-512:	4C81BB92588387A6323EC1B88FEE289137702162900CEF538FFF108CB80A98D318EE00D781DBA8458391EB85055BA0D7AB775FA7AC90B2A95E8210C140B6DE85
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........vW..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDX.t....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDX.t....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDX.t....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDX.t..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDX.t...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun Feb 4 13:32:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9835556243029027
Encrypted:	false
SSDEEP:	48:8fdfTXX/HfidAKZdA1duT+ehOuTbbiZUk5OjqehOuTb4y+yT+:8xD2T/TbxWOvTb4y7T
MD5:	DFCC0344CE9DAC7E357665CE46624AF9
SHA1:	A355D390463D39B315E3B3D30B1C433BD2745D3F
SHA-256:	9942A78980D4639258DAB4A89DA804E3F894CF71BEC2AC88F3BDA7FBEDC111EB
SHA-512:	9ADD294FCCEB763E50FB7DAC0DED67095979AB9C997320F9708875601447D4BD0BC1BC5860530F1743F6A05F7430B24CCD983969A68A6330E9ABDAD68F48D0C8
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....._..vW..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDX.t....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDX.t....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDX.t....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDX.t..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDX.t...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Desktop\cmdline.out

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	530
Entropy (8bit):	5.093382003360623
Encrypted:	false
SSDEEP:	12:HRdqJmOs+9BqT1De5RhKLM1DbV3JRbK7KpvXY1kDAiV3JRbK7Kir:xdma+9B4xePgQ1NPb8K+1kEQPb8Ku
MD5:	62329F0129488C75B316522C84331E2E
SHA1:	374E6560179A4B9C45AB9A92AC03E7C7C278F9CC
SHA-256:	D90B1979130046F3742452E292F63D2C0AEFB849E2F17DC0A5CD703C6E01F39B
SHA-512:	22DABA9CB8E78B558DDD27F5DACCF4A43C2D70856080F80861426145C00646EDC864D4844D0F63B9AFE5A1428CDEA6FEB29B33BD05B7F55DDE1AB5EA1D2005F5
Malicious:	false
Reputation:	low
Preview:	--2024-02-04 15:32:29-- https://veryfast.io/downloading.html..Resolving veryfast.io (veryfast.io)... 161.35.127.181..Connecting to veryfast.io (veryfast.io)\|161.35.127.181\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 5845 (5.7K) [text/html]..Saving to: 'C:/Users/user/Desktop/download/downloading.html'.... 0K ..... 100% 1.60M=0.003s....2024-02-04 15:32:30 (1.60 MB/s) - 'C:/Users/user/Desktop/download/downloading.html' saved [5845/5845]....

C:\Users\user\Desktop\download\downloading.html

Download File

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	5845
Entropy (8bit):	5.054287541795815
Encrypted:	false
SSDEEP:	96:yx5R/VMa3Uudtfth/CRIvydYkRkyocG8YLwQANhnHw7AdqHEXaMJZs6vdM:UVMaPvFTydYkRkyocG80wQAjnQ7AAHEW
MD5:	F9DFDDF47641AF5E4B731C5038DC3BDC
SHA1:	D887001E4CD4B66C1BEBC709A4C17B7A482C3679
SHA-256:	05D9B4BA9609E726635694716C196B79288F1C2A083D35698D57CA6081340AB5
SHA-512:	A5454718AEB0FEAF7C07272C620BB481AF65D0AC78759A082D5B65E515635DC8A5D703C84C37B6DED97A28CF29F31750622FBDE1AE06EA13E4D801FD2D542F22
Malicious:	false
Reputation:	low
Preview:	<html>.<head>. <title>Downloading Fast!</title>. <link href='https://fonts.googleapis.com/css?family=Open Sans' rel='stylesheet'>..<style>...body {....font-family: 'Open Sans';....font-size: 12px;....color: #333;....background:white;....margin: 0;....}...</style>..</head>.<body onload="">. <script src="src/main_code.js"></script>..<div id=header style="position:absolute; width:100%; top:10%;text-align:center">....<br>..<span style='font-size:30px'><b>Complete the installation by running `Fast! Installer.exe`</b></span>.....<br>......<br><br><br>..<div id=inst_ie style='display:none'>...<img src='images/inst_ie.png'><br>...Click on RUN, it's at the bottom of the window..</div>....<div id=inst_ff style='display:none'>...<img src='images/inst_ff.png'><br>.....Click on "Fast! Installer", it's from the toolbar..</div>....<div id=inst_ch style='display:none'>...<img src='images/inst_ch.png'><br>...Click on "Fast! Installer", it's at the bottom of the window..</div>....<br><br><br><b

Chrome Cache Entry: 62

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 18668, version 1.0
Category:	downloaded
Size (bytes):	18668
Entropy (8bit):	7.988119248989337
Encrypted:	false
SSDEEP:	384:1stcBfAVaR8i6XzMsb4fcjakBudFyBqrgeU0hipgwfqj09nOt/a:1k0F6Xz1bFjaPbyBqr9hIgkM3Fa
MD5:	8655D20BBCC8CDBFAB17B6BE6CF55DF3
SHA1:	90EDBFA9A7DABB185487B4774076F82EB6412270
SHA-256:	E7AF9D60D875EB1C1B1037BBBFDEC41FCB096D0EBCF98A48717AD8B07906CED6
SHA-512:	47308DE25BD7E4CA27F59A2AE681BA64393FE4070E730C1F00C4053BAC956A9B4F7C0763C04145BC50A5F91C12A0BF80BDD4B03EECC2036CD56B2DB31494CBAF
Malicious:	false
Reputation:	low
URL:	https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVI.woff2
Preview:	wOF2......H...........H..........................\|.....h.`?STAT^..0..\|...........+..2..6.$..`. ..x........z'o..w;....6.E....6....E...'$H.#.....n1X..JU/.d.O..JC.'J".v.v.l.h.....u.S...SY.....B.hz.o.}......W......%m6...A..=....\..m. .]..~.[..........]...I..h.=.....6.xt..F....Lt...Qs-.7..{...~BI.".F.Q......F...P..dMw..#I2........Rq.Q&.0@.;..;...3VG..:c.nki..-Q..2##e.u...8n....\?....T..b....^..#...../.J\|OM..St....e.S.}!.....>..i.T/a.ES%.W.P3..`..a.R.A.....!~g..74.np8o.....d[6?.P.4)P.....AG.3.......;#0.y....M..O/2.@.4..N.vA$.:M&H,.AT".........@..a.~..L->...0@h...~.._..N"......t......C./g7..............2E.N.J...TW.F..."A.B...n.......i.?.{\.L.!.B..x...S..!........?.\,... .@.....y"xw.A8.w..!E..-^P O..+.T.r.R.zz..K..].E.....Ri.)g.P...j..w..c.M.F.v../........Q....'...(....X..;.K.!BZ3.........f.....N.A(....cA`.b'...`.~sa^.....?..../.L.S......t..`@h..C.....>N.W...;>..._h.+~=\|......uOGA{.7.....h....q.d.4$.x<.....^0\|...@....@Q[RC.0....b....'...RID

Chrome Cache Entry: 63

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1632)
Category:	downloaded
Size (bytes):	5776
Entropy (8bit):	5.406231475448828
Encrypted:	false
SSDEEP:	96:ZOEMIJOEMiDFZ8OEMXkOEMlOEMvOEMkyhZcyJzV+zmnWOEMfuejqGIFuageUOEM9:wIAiXBsSkuy22eqGIwaXR3XQO
MD5:	EED76F35E91F6AA4CC81975B39DBE5F8
SHA1:	F3621A40F3CA29EC20751427841051450494B2DD
SHA-256:	C3C96CCEAFDE14A4669C2114EE0D10BCE6EC0163064151A98824A2575D97EAF7
SHA-512:	3B67D03351DA819A09C0AB16C549ABA5BF33897C7E50DC96B8436BCD97DF3421D82FF0F758FC276AB25A7569468450994F83A947306AB363821D27AD7B615C69
Malicious:	false
Reputation:	low
URL:	https://fonts.googleapis.com/css?family=Open%20Sans
Preview:	/* cyrillic-ext /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4taVIGxA.woff2) format('woff2');. unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;.}./ cyrillic /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4kaVIGxA.woff2) format('woff2');. unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;.}./ greek-ext /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4saVIGxA.woff2) format('woff2');. unicode-range: U+1F00-1FFF;.}./ greek */.@font-fa

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2024 15:32:28.758874893 CET	49675	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:28.758877993 CET	49674	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:28.899482965 CET	49673	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:29.886123896 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:29.886174917 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:29.886274099 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:29.888652086 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:29.888672113 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:30.150445938 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:30.150527000 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:30.152648926 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:30.152662039 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:30.152976990 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:30.154540062 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:30.197904110 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:30.408302069 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:30.408335924 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:30.408396959 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:30.408407927 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:30.408454895 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:30.501408100 CET	49705	443	192.168.2.5	161.35.127.181
Feb 4, 2024 15:32:30.501454115 CET	443	49705	161.35.127.181	192.168.2.5
Feb 4, 2024 15:32:33.357203960 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.357234001 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.357295990 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.359477997 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.359493971 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.360968113 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.360976934 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.361027956 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.361550093 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.361560106 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.594511986 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.594746113 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.594774008 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.595587969 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.595655918 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.597239017 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.597299099 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.598339081 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.598462105 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.598572969 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.598582029 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.607764006 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.608042955 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.608055115 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.609496117 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.609555006 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.610548019 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.610635996 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.610740900 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.610750914 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.653204918 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.653233051 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.800626040 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.801074982 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.801142931 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.802011013 CET	49707	443	192.168.2.5	142.250.105.101
Feb 4, 2024 15:32:33.802031994 CET	443	49707	142.250.105.101	192.168.2.5
Feb 4, 2024 15:32:33.831878901 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.832068920 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:33.832127094 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.893162966 CET	49709	443	192.168.2.5	172.217.215.84
Feb 4, 2024 15:32:33.893215895 CET	443	49709	172.217.215.84	192.168.2.5
Feb 4, 2024 15:32:37.568902969 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:37.568965912 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:37.569045067 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:37.569360018 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:37.569390059 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:37.793665886 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:37.794290066 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:37.794358015 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:37.796147108 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:37.796220064 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:37.797270060 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:37.797358990 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:37.839510918 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:37.839572906 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:37.885790110 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:37.885842085 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:37.885927916 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:37.886316061 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:37.888391972 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:37.888411045 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.113775969 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.113957882 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.116287947 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.116313934 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.116869926 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.167519093 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.174747944 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.221910000 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.302912951 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.303061962 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.303162098 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.303428888 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.303451061 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.303489923 CET	49717	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.303498030 CET	443	49717	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.354882002 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.354991913 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.355084896 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.355787992 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.355827093 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.370738029 CET	49674	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:38.370835066 CET	49675	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:38.511274099 CET	49673	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:38.569349051 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.569451094 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.571063995 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.571089983 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.571444035 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.572844982 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.613900900 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.772281885 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.772367954 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.772428989 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.773822069 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.773869991 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:38.773926020 CET	49718	443	192.168.2.5	23.201.212.130
Feb 4, 2024 15:32:38.773942947 CET	443	49718	23.201.212.130	192.168.2.5
Feb 4, 2024 15:32:39.860099077 CET	443	49703	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:39.860194921 CET	49703	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:47.780514002 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:47.780595064 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:47.780803919 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:48.918657064 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:48.918703079 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:48.918781996 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:48.921066999 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:48.921081066 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:49.347131968 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:49.347280025 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:49.350408077 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:49.350424051 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:49.350879908 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:49.400377035 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:49.496089935 CET	49716	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:32:49.496145010 CET	443	49716	108.177.122.99	192.168.2.5
Feb 4, 2024 15:32:49.837732077 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:49.881910086 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:49.902390003 CET	49703	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:49.902482986 CET	49703	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:49.902997971 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:49.903034925 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:49.903100014 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:49.903556108 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:49.903568029 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.051261902 CET	443	49703	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.051286936 CET	443	49703	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.105216026 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105274916 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105295897 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105334997 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105349064 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:50.105374098 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105386972 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:50.105391979 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105407953 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:50.105431080 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:50.105513096 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105673075 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:50.105676889 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105709076 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.105787039 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:50.223439932 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.223512888 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:50.241234064 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:50.241255999 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.242336988 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.242434025 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:50.243029118 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:50.243125916 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.243319035 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:50.243326902 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.364753008 CET	49719	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:32:50.364780903 CET	443	49719	52.165.165.26	192.168.2.5
Feb 4, 2024 15:32:50.594953060 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.595016003 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:50.595247984 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:50.595340014 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.595403910 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:32:50.595410109 CET	443	49723	23.1.237.91	192.168.2.5
Feb 4, 2024 15:32:50.595453024 CET	49723	443	192.168.2.5	23.1.237.91
Feb 4, 2024 15:33:26.953469038 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:26.953501940 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:26.953588963 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:26.954421997 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:26.954437017 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.368863106 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.368988991 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.373121977 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.373130083 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.373462915 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.387109995 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.429905891 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770672083 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770700932 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770720005 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770761013 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.770787954 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770807028 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.770821095 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770843029 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.770850897 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770865917 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.770915985 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.770921946 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770953894 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.770973921 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.771009922 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.781543970 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.781558037 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:27.781651974 CET	49726	443	192.168.2.5	52.165.165.26
Feb 4, 2024 15:33:27.781658888 CET	443	49726	52.165.165.26	192.168.2.5
Feb 4, 2024 15:33:37.500140905 CET	49728	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:33:37.500184059 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:33:37.500267029 CET	49728	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:33:37.500705957 CET	49728	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:33:37.500721931 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:33:37.717397928 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:33:37.717750072 CET	49728	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:33:37.717761993 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:33:37.718255043 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:33:37.718825102 CET	49728	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:33:37.718914986 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:33:37.759567022 CET	49728	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:33:47.728436947 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:33:47.728528976 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:33:47.728694916 CET	49728	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:33:49.495621920 CET	49728	443	192.168.2.5	108.177.122.99
Feb 4, 2024 15:33:49.495661974 CET	443	49728	108.177.122.99	192.168.2.5
Feb 4, 2024 15:34:02.584141016 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:02.584244013 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:02.584335089 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:02.584786892 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:02.584825993 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:02.806118965 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:02.806826115 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:02.806891918 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:02.808068037 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:02.808142900 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:02.809079885 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:02.809142113 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:02.810338974 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:02.810431957 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:02.810550928 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:02.810574055 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:02.853415966 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:03.014122009 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:03.015717983 CET	443	49730	142.250.105.102	192.168.2.5
Feb 4, 2024 15:34:03.015805006 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:03.016155958 CET	49730	443	192.168.2.5	142.250.105.102
Feb 4, 2024 15:34:03.016200066 CET	443	49730	142.250.105.102	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2024 15:32:29.750649929 CET	50905	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:32:29.869787931 CET	53	50905	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:33.237390995 CET	54235	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:32:33.237802982 CET	53090	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:32:33.238398075 CET	51781	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:32:33.238701105 CET	59137	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:32:33.297233105 CET	53	52100	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:33.355130911 CET	53	54235	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:33.355385065 CET	53	53090	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:33.355889082 CET	53	51781	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:33.355926037 CET	53	59137	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:33.357472897 CET	53	56646	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:34.041181087 CET	53	56868	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:34.085832119 CET	53	61938	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:37.449876070 CET	53990	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:32:37.450112104 CET	57866	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:32:37.567446947 CET	53	57866	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:37.567672014 CET	53	53990	1.1.1.1	192.168.2.5
Feb 4, 2024 15:32:51.019613028 CET	53	53326	1.1.1.1	192.168.2.5
Feb 4, 2024 15:33:09.925518990 CET	53	60532	1.1.1.1	192.168.2.5
Feb 4, 2024 15:33:32.717926979 CET	53	56222	1.1.1.1	192.168.2.5
Feb 4, 2024 15:33:32.824219942 CET	53	54215	1.1.1.1	192.168.2.5
Feb 4, 2024 15:33:59.972003937 CET	53	51601	1.1.1.1	192.168.2.5
Feb 4, 2024 15:34:02.465333939 CET	64379	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:34:02.465534925 CET	63579	53	192.168.2.5	1.1.1.1
Feb 4, 2024 15:34:02.582684994 CET	53	64379	1.1.1.1	192.168.2.5
Feb 4, 2024 15:34:02.583340883 CET	53	63579	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 4, 2024 15:32:29.750649929 CET	192.168.2.5	1.1.1.1	0xceb2	Standard query (0)	veryfast.io	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.237390995 CET	192.168.2.5	1.1.1.1	0x1ce8	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.237802982 CET	192.168.2.5	1.1.1.1	0xdee5	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Feb 4, 2024 15:32:33.238398075 CET	192.168.2.5	1.1.1.1	0xe593	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.238701105 CET	192.168.2.5	1.1.1.1	0x5bd8	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Feb 4, 2024 15:32:37.449876070 CET	192.168.2.5	1.1.1.1	0x53e0	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:37.450112104 CET	192.168.2.5	1.1.1.1	0x37b1	Standard query (0)	www.google.com	65	IN (0x0001)	false
Feb 4, 2024 15:34:02.465333939 CET	192.168.2.5	1.1.1.1	0x1a3f	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:34:02.465534925 CET	192.168.2.5	1.1.1.1	0x242a	Standard query (0)	clients1.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 4, 2024 15:32:29.869787931 CET	1.1.1.1	192.168.2.5	0xceb2	No error (0)	veryfast.io		161.35.127.181	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355130911 CET	1.1.1.1	192.168.2.5	0x1ce8	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355130911 CET	1.1.1.1	192.168.2.5	0x1ce8	No error (0)	clients.l.google.com		142.250.105.101	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355130911 CET	1.1.1.1	192.168.2.5	0x1ce8	No error (0)	clients.l.google.com		142.250.105.139	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355130911 CET	1.1.1.1	192.168.2.5	0x1ce8	No error (0)	clients.l.google.com		142.250.105.113	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355130911 CET	1.1.1.1	192.168.2.5	0x1ce8	No error (0)	clients.l.google.com		142.250.105.138	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355130911 CET	1.1.1.1	192.168.2.5	0x1ce8	No error (0)	clients.l.google.com		142.250.105.100	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355130911 CET	1.1.1.1	192.168.2.5	0x1ce8	No error (0)	clients.l.google.com		142.250.105.102	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355385065 CET	1.1.1.1	192.168.2.5	0xdee5	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 4, 2024 15:32:33.355889082 CET	1.1.1.1	192.168.2.5	0xe593	No error (0)	accounts.google.com		172.217.215.84	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:37.567446947 CET	1.1.1.1	192.168.2.5	0x37b1	No error (0)	www.google.com			65	IN (0x0001)	false
Feb 4, 2024 15:32:37.567672014 CET	1.1.1.1	192.168.2.5	0x53e0	No error (0)	www.google.com		108.177.122.99	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:37.567672014 CET	1.1.1.1	192.168.2.5	0x53e0	No error (0)	www.google.com		108.177.122.147	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:37.567672014 CET	1.1.1.1	192.168.2.5	0x53e0	No error (0)	www.google.com		108.177.122.106	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:37.567672014 CET	1.1.1.1	192.168.2.5	0x53e0	No error (0)	www.google.com		108.177.122.104	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:37.567672014 CET	1.1.1.1	192.168.2.5	0x53e0	No error (0)	www.google.com		108.177.122.103	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:32:37.567672014 CET	1.1.1.1	192.168.2.5	0x53e0	No error (0)	www.google.com		108.177.122.105	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:34:02.582684994 CET	1.1.1.1	192.168.2.5	0x1a3f	No error (0)	clients1.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 4, 2024 15:34:02.582684994 CET	1.1.1.1	192.168.2.5	0x1a3f	No error (0)	clients.l.google.com		142.250.105.102	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:34:02.582684994 CET	1.1.1.1	192.168.2.5	0x1a3f	No error (0)	clients.l.google.com		142.250.105.113	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:34:02.582684994 CET	1.1.1.1	192.168.2.5	0x1a3f	No error (0)	clients.l.google.com		142.250.105.139	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:34:02.582684994 CET	1.1.1.1	192.168.2.5	0x1a3f	No error (0)	clients.l.google.com		142.250.105.101	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:34:02.582684994 CET	1.1.1.1	192.168.2.5	0x1a3f	No error (0)	clients.l.google.com		142.250.105.100	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:34:02.582684994 CET	1.1.1.1	192.168.2.5	0x1a3f	No error (0)	clients.l.google.com		142.250.105.138	A (IP address)	IN (0x0001)	false
Feb 4, 2024 15:34:02.583340883 CET	1.1.1.1	192.168.2.5	0x242a	No error (0)	clients1.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

veryfast.io

clients2.google.com

accounts.google.com

fs.microsoft.com

slscr.update.microsoft.com

https:

www.bing.com

clients1.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	161.35.127.181	443	4120	C:\Windows\SysWOW64\wget.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:32:30 UTC	203	OUT	GET /downloading.html HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: veryfast.io Connection: Keep-Alive
2024-02-04 14:32:30 UTC	350	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 04 Feb 2024 14:32:30 GMT Content-Type: text/html Content-Length: 5845 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-Ranges: bytes Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
2024-02-04 14:32:30 UTC	5845	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 77 6e 6c 6f 61 64 69 6e 67 20 46 61 73 74 21 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 20 53 61 6e 73 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 Data Ascii: <html><head> <title>Downloading Fast!</title> <link href='https://fonts.googleapis.com/css?family=Open Sans' rel='stylesheet'><style>body {font-family: 'Open Sans';font-size: 12px;color: #333;background:white;margin: 0;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	142.250.105.101	443	7212	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:32:33 UTC	752	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.132 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-02-04 14:32:33 UTC	732	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-R_iaVhFVGXGGC1AcUAwctg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sun, 04 Feb 2024 14:32:33 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6243 X-Daystart: 23553 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-04 14:32:33 UTC	520	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 32 34 33 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 33 35 35 33 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6243" elapsed_seconds="23553"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2024-02-04 14:32:33 UTC	200	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2024-02-04 14:32:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	172.217.215.84	443	7212	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:32:33 UTC	680	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
2024-02-04 14:32:33 UTC	1	OUT	Data Raw: 20 Data Ascii:
2024-02-04 14:32:33 UTC	1799	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sun, 04 Feb 2024 14:32:33 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: script-src 'report-sample' 'nonce--Y3gleS24s1Fj33YqzISHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/IdentityListAccountsHttp/web-reports?context=eJzjMtDikmLw1JBiOHxtB5Meyy0mIyCe2_2UaSEQH4x7znQUiHf4eLA4pc9gDQBiIR6OxgP_1rIJPLhw4CMTALhNGDI" Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-04 14:32:33 UTC	23	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2024-02-04 14:32:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49717	23.201.212.130	443

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:32:38 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-02-04 14:32:38 UTC	532	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-MSEdge-Ref: Ref A: 5B530CACA39F445BB20AF88ADB990A13 Ref B: BLUEDGE1613 Ref C: 2024-02-04T01:32:15Z Cache-Control: public, max-age=212402 Date: Sun, 04 Feb 2024 14:32:38 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	23.201.212.130	443

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:32:38 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-02-04 14:32:38 UTC	521	IN	HTTP/1.1 200 OK Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Content-Type: application/octet-stream ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-MSEdge-Ref: Ref A: 1B505B220C384F4E8B34A040881A4741 Ref B: BLUEDGE1921 Ref C: 2023-03-16T18:28:31Z Cache-Control: public, max-age=183765 Date: Sun, 04 Feb 2024 14:32:38 GMT Content-Length: 55 Connection: close X-CID: 2
2024-02-04 14:32:38 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:32:49 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=WrNFT62LC5wGObZ&MD=9EXu2Hn+ HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-02-04 14:32:50 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 27069eb8-405b-46e6-88bd-86082a2dc358 MS-RequestId: c0982dbd-a4bc-4edb-9f02-af45f025b6db MS-CV: Dzh93lr6jU+oLx1f.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sun, 04 Feb 2024 14:32:49 GMT Connection: close Content-Length: 24490
2024-02-04 14:32:50 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-02-04 14:32:50 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.5	49723	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:32:50 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1707057139052&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-02-04 14:32:50 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-02-04 14:32:50 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-02-04 14:32:50 UTC	476	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 0673A29732974F0591B423A6D789E5DD Ref B: PAOEDGE0512 Ref C: 2024-02-04T14:32:50Z Date: Sun, 04 Feb 2024 14:32:50 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1707057170.2885506b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49726	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:33:27 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=WrNFT62LC5wGObZ&MD=9EXu2Hn+ HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-02-04 14:33:27 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 4f20b3cb-24d5-4b57-90c4-2321bf9c8f8d MS-RequestId: beeb7ccb-f699-4ed4-ba4a-76ae36ecf55b MS-CV: jkaIDkxpIEaWuQlK.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sun, 04 Feb 2024 14:33:26 GMT Connection: close Content-Length: 25457
2024-02-04 14:33:27 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-02-04 14:33:27 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49730	142.250.105.102	443	7212	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-04 14:34:02 UTC	449	OUT	GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000009100CBCA17 HTTP/1.1 Host: clients1.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br
2024-02-04 14:34:03 UTC	817	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-A_B7ndVW16lRivVfG5iwfw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Security-Policy: script-src 'report-sample' 'nonce-tCJ-ZgwS5FALs0LyPlZYEQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Type: text/plain; charset=utf-8 Content-Length: 220 Date: Sun, 04 Feb 2024 14:34:02 GMT Expires: Sun, 04 Feb 2024 14:34:02 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-04 14:34:03 UTC	220	IN	Data Raw: 72 6c 7a 43 31 3a 20 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 39 35 0a 72 6c 7a 43 32 3a 20 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 39 35 0a 72 6c 7a 43 37 3a 20 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 39 35 0a 64 63 63 3a 20 0a 73 65 74 5f 64 63 63 3a 20 43 31 3a 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 39 35 2c 43 32 3a 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 39 35 2c 43 37 3a 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 39 35 0a 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 2c 43 31 53 2c 43 37 53 0a 73 74 61 74 65 66 75 6c 2d 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 0a 63 72 63 33 32 3a 20 35 35 37 32 32 36 30 32 0a Data Ascii: rlzC1: 1C1ONGR_enUS1095rlzC2: 1C2ONGR_enUS1095rlzC7: 1C7ONGR_enUS1095dcc: set_dcc: C1:1C1ONGR_enUS1095,C2:1C2ONGR_enUS1095,C7:1C7ONGR_enUS1095events: C1I,C2I,C7I,C1S,C7Sstateful-events: C1I,C2I,C7Icrc32: 55722602

Target ID:	0
Start time:	15:32:28
Start date:	04/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html" > cmdline.out 2>&1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:32:29
Start date:	04/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:32:29
Start date:	04/02/2024
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://veryfast.io/downloading.html"
Imagebase:	0x400000
File size:	3'895'184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:32:31
Start date:	04/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\downloading.html
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:32:32
Start date:	04/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1984,i,5909537731496355094,4881547611905691764,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://veryfast.io/downloading.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Desktop\cmdline.out

C:\Users\user\Desktop\download\downloading.html

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
https://veryfast.io/downloading.html