Edit tour

Windows Analysis Report
https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_scriΡts/OneNoteDS.js

Overview

General Information

Sample URL:	https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_scriΡts/OneNoteDS.js
Analysis ID:	1392204
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

No high impact signatures.

Classification

Process Tree

System is w7x64

chrome.exe (PID: 2944 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 2036 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1208,i,4268960282646367945,8426501699898787135,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 1392 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_Scripts/OneNoteDS.js MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

cleanup

Joe Sandbox Signatures

• Phishing
• Compliance
• Software Vulnerabilities
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_Scripts/OneNoteDS.js

HTTP Parser: No favicon

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_2944_2076566840	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 34MB later: 95MB

Source: global traffic

HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=109.0.5414.120&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-109.0.5414.120Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA

Source: chromecache_73.1.dr	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: chromecache_73.1.dr	String found in binary or memory: https://1drv.ms
Source: chromecache_73.1.dr	String found in binary or memory: https://attributes.engagement.office-int.com
Source: chromecache_73.1.dr	String found in binary or memory: https://attributes.engagement.office.com
Source: chromecache_73.1.dr	String found in binary or memory: https://attributes.engagement.officeppe.com
Source: chromecache_73.1.dr	String found in binary or memory: https://config.edge.skype.com
Source: chromecache_73.1.dr	String found in binary or memory: https://contentstorage.osi.office.net/images/2f4febe2cca96f7f.gif
Source: chromecache_73.1.dr	String found in binary or memory: https://contentstorage.osi.office.net/images/eb14b3fe6a1e1671.png
Source: chromecache_73.1.dr	String found in binary or memory: https://fa000000096.resources.office.net
Source: chromecache_73.1.dr	String found in binary or memory: https://fa000000096.resources.office.net/f7024bdc-7caf-4ca8-807d-2908f09640d6/1.0.2210.23001/en-us_w
Source: chromecache_73.1.dr	String found in binary or memory: https://feross.org
Source: chromecache_73.1.dr	String found in binary or memory: https://feross.org/opensource
Source: chromecache_73.1.dr	String found in binary or memory: https://ffc-owl.officeapps.live.com
Source: chromecache_73.1.dr	String found in binary or memory: https://mths.be/punycode
Source: chromecache_73.1.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: chromecache_73.1.dr	String found in binary or memory: https://support.office.com/article/7afcb4f3-4aa2-443a-9b08-125a5d692576

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: chromecache_73.1.dr

Binary or memory string: new v.a(f.a.Wd());const y=".3gp .aa .aac .aax .act .aiff .amr .ape .au .awb .dct .dss .dvf .flac .gsm .iklax .ivs .m4a .m4b .m4p .mmf .mp3 .mpc .msv .ogg .oga .mogg .opus .ra .rm .raw .sln .tta .vox .wav .webm .wma .wv".split(" ");for(const C of y)H.Lic.add(C)}return H.Lic}static Oki(y){return H.o3h().contains(y)}static Ppi(y){y=c.jPh(y);return""!==document.createElement("audio").canPlayType(y)}}H.Lic=null;(0,Q.a)(H,"EmbeddedFileReaderUtils",null,[])},96538:function(Q,Y,e){e.d(Y,{a:function(){return k},

Source: classification engine

Classification label: clean0.win@18/4@8/4

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1208,i,4268960282646367945,8426501699898787135,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_Scripts/OneNoteDS.js
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1208,i,4268960282646367945,8426501699898787135,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_2944_2076566840	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_Scripts/OneNoteDS.js	0%	Virustotal		Browse
https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_Scripts/OneNoteDS.js	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://mths.be/punycode	0%	URL Reputation	safe
https://mths.be/punycode	0%	URL Reputation	safe
https://attributes.engagement.office-int.com	0%	Avira URL Cloud	safe
https://attributes.engagement.officeppe.com	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	142.250.12.84	true	false	high
www.google.com	142.250.12.104	true	false	high
clients.l.google.com	172.253.126.102	true	false	high
clients2.google.com	unknown	unknown	false	high
m365cdn.nel.measure.office.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=109.0.5414.120&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://feross.org	chromecache_73.1.dr	false		high
https://my.microsoftpersonalcontent.com	chromecache_73.1.dr	false	URL Reputation: safe	unknown
https://feross.org/opensource	chromecache_73.1.dr	false		high
https://fa000000096.resources.office.net	chromecache_73.1.dr	false		high
https://attributes.engagement.office.com	chromecache_73.1.dr	false		high
https://mths.be/punycode	chromecache_73.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://support.office.com/article/7afcb4f3-4aa2-443a-9b08-125a5d692576	chromecache_73.1.dr	false		high
https://1drv.ms	chromecache_73.1.dr	false		high
https://attributes.engagement.office-int.com	chromecache_73.1.dr	false	Avira URL Cloud: safe	unknown
https://fa000000096.resources.office.net/f7024bdc-7caf-4ca8-807d-2908f09640d6/1.0.2210.23001/en-us_w	chromecache_73.1.dr	false		high
https://attributes.engagement.officeppe.com	chromecache_73.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.12.104	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.253.126.102	clients.l.google.com	United States	15169	GOOGLEUS	false
142.250.12.84	accounts.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1392204
Start date and time:	2024-02-14 15:04:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_scriΡts/OneNoteDS.js
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@18/4@8/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): vga.dll
Excluded IPs from analysis (whitelisted): 142.250.12.94, 34.104.35.123, 23.1.33.16, 23.1.33.12, 23.1.33.15, 23.1.33.7, 23.1.33.18, 173.223.239.10, 173.223.239.9, 172.253.126.94
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, nel.measure.office.net.edgesuite.net, e40491.dscd.akamaiedge.net, update.googleapis.com, clientservices.googleapis.com, res-1.cdn.office.net, res-1.cdn.office.net-c.edgekey.net, a1894.dscb.akamai.net, res-1.cdn.office.net-c.edgekey.net.globalredir.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	226
Entropy (8bit):	5.240157682771309
Encrypted:	false
SSDEEP:	6:JiMVBdgqZj8DHgWdzRiAU2uvxV1+KcBL+GQexRqRIHr/mXg6n:MMHdVBMHgWdzR05+hL5Vr6w6
MD5:	1DB25BC0F11483604833E0C70082BBD0
SHA1:	39E68CFD1478C82BB1E5A46D4152729BD43E704D
SHA-256:	B574E81A1680772F80B87C81A0D1829FE0AF1CB03E784EC5741DB80579BDA94D
SHA-512:	6192BC88048541AE88D253F019C64A3A98EE5A9967FB84406D18F3558459F613DA8486A95798ECF59510FE3A6D189658CCC4523734B6AF434AD7126808E69077
Malicious:	false
Reputation:	low
URL:	https://res-1.cdn.office.net/favicon.ico
Preview:	.<?xml version="1.0" encoding="utf-8"?><Error><Code>OutOfRangeInput</Code><Message>One of the request inputs is out of range..RequestId:016c9d17-b01e-0059-1a4e-5f4d42000000.Time:2024-02-14T14:05:08.5105047Z</Message></Error>

Chrome Cache Entry: 73

Download File

Process:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (582)
Category:	downloaded
Size (bytes):	4967148
Entropy (8bit):	5.689484470445794
Encrypted:	false
SSDEEP:	49152:syh0pOLKbaoQWJVTEPkXgw1iuKPr52l1G3EFI8k2erl3csFnjQuY3y0tTskUf5zs:ZnshkBbAA/AWObB
MD5:	647B16C17F10C2D53F5001A30DBE1B4A
SHA1:	9D24D1CF506C164640F7D2E726A43233421AFEA9
SHA-256:	A3DA932CBFE26BE25B1AC114AA3349E176C05B53333268C297A258F6A9A905BD
SHA-512:	679775A9525128126638E99479C75E4CD0168A41CF361D628D559E8E38C2E4F90C4503C1741943C2D39CCC3E28FEA96C925D0AB9CAD7732BAF6D5B210DC791E8
Malicious:	false
Reputation:	low
URL:	https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_Scripts/OneNoteDS.js
Preview:	/. The buffer module from node.js, for the browser... @author Feross Aboukhadijeh <https://feross.org>. @license MIT. ieee754. BSD-3-Clause License. Feross Aboukhadijeh <https://feross.org/opensource> https://mths.be/punycode v1.4.1 by @mathias Copyright (c) Microsoft Corporation and contributors. All rights reserved.. Licensed under the MIT License.. ************************************ !\. ! ./lib/generated/qosWac.gen.js !. \********************************* exports provided: QosPillarName exports used: QosPillarName ******************** !\. ! ./lib/index.js !. \******************** all exports used ./generated/qosWac.gen */.'use strict';function Xk(Ha){var ab=0;return function(){return ab<Ha.length?{done:!1,value:Ha[ab++]}:{done:!0}}}var qE="function"==typeof Object.defineProperties?Object.defineProperty:function(Ha,ab,V){if(Ha==Array.prototype\|\|Ha==Object.prototype)return Ha;Ha[ab]=V.value;return Ha};.function rE(Ha){Ha=["object"==typeof gl

Total Packets: 60
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2024 15:05:02.342386961 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.342413902 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.342572927 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.347393036 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.347429991 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.347709894 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.355067968 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.355094910 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.355149984 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.355468035 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.355488062 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.355811119 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.355829000 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.356488943 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.356503963 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.578435898 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.578849077 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.578864098 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.581825018 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.581907988 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.583754063 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.583998919 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.584005117 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.584398031 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.590044022 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.590647936 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.590676069 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.591326952 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.591401100 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.592080116 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.592147112 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.593015909 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.593291998 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.593302965 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.593478918 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.593558073 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.593667984 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.593683958 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.594105959 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.594152927 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.595141888 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.595185041 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.608541012 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.608647108 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.781294107 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.781306028 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.796917915 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.812489986 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.812498093 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.813132048 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.813308001 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.813357115 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.813708067 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.813751936 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.813761950 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.813899994 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:02.813947916 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.814594984 CET	49163	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:02.814631939 CET	443	49163	172.253.126.102	192.168.2.22
Feb 14, 2024 15:05:02.814825058 CET	49161	443	192.168.2.22	142.250.12.84
Feb 14, 2024 15:05:02.814837933 CET	443	49161	142.250.12.84	192.168.2.22
Feb 14, 2024 15:05:03.011307001 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:07.622461081 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:07.622507095 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:07.622778893 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:07.624021053 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:07.624032021 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:07.845031023 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:08.053900957 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:08.054033995 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:08.202714920 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:08.202745914 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:08.204039097 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:08.204421043 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:08.242461920 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:08.242651939 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:08.449939013 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:08.450027943 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:17.889816046 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:17.889879942 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:17.890021086 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:23.386208057 CET	49167	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:05:23.386234999 CET	443	49167	142.250.12.104	192.168.2.22
Feb 14, 2024 15:05:47.864295959 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:05:47.864308119 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:06:04.444571018 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:06:04.444704056 CET	443	49162	172.253.126.102	192.168.2.22
Feb 14, 2024 15:06:04.444757938 CET	49162	443	192.168.2.22	172.253.126.102
Feb 14, 2024 15:06:11.422415972 CET	49172	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:06:11.422456980 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:11.422517061 CET	49172	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:06:11.423470974 CET	49172	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:06:11.423486948 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:11.640881062 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:11.641416073 CET	49172	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:06:11.641442060 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:11.641817093 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:11.643589020 CET	49172	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:06:11.643677950 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:11.849925041 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:11.850055933 CET	49172	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:06:21.720112085 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:21.720199108 CET	443	49172	142.250.12.104	192.168.2.22
Feb 14, 2024 15:06:21.720449924 CET	49172	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:06:22.448398113 CET	49172	443	192.168.2.22	142.250.12.104
Feb 14, 2024 15:06:22.448458910 CET	443	49172	142.250.12.104	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2024 15:05:02.004164934 CET	54719	53	192.168.2.22	8.8.8.8
Feb 14, 2024 15:05:02.007040024 CET	49881	53	192.168.2.22	8.8.8.8
Feb 14, 2024 15:05:02.009903908 CET	54998	53	192.168.2.22	8.8.8.8
Feb 14, 2024 15:05:02.017090082 CET	53	54821	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:02.017456055 CET	52781	53	192.168.2.22	8.8.8.8
Feb 14, 2024 15:05:02.107657909 CET	53	54719	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:02.110805988 CET	53	49881	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:02.113924026 CET	53	54998	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:02.121704102 CET	53	52781	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:03.195060015 CET	53	62672	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:07.222973108 CET	58095	53	192.168.2.22	8.8.8.8
Feb 14, 2024 15:05:07.256589890 CET	54261	53	192.168.2.22	8.8.8.8
Feb 14, 2024 15:05:07.329787970 CET	53	58095	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:07.358967066 CET	53	54261	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:08.594166994 CET	50446	53	192.168.2.22	8.8.8.8
Feb 14, 2024 15:05:08.594521046 CET	55939	53	192.168.2.22	8.8.8.8
Feb 14, 2024 15:05:23.420074940 CET	53	52074	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:41.580450058 CET	53	53406	8.8.8.8	192.168.2.22
Feb 14, 2024 15:05:52.001754045 CET	53	49750	8.8.8.8	192.168.2.22
Feb 14, 2024 15:06:01.814981937 CET	53	49690	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 14, 2024 15:05:02.004164934 CET	192.168.2.22	8.8.8.8	0xd986	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.007040024 CET	192.168.2.22	8.8.8.8	0xc684	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Feb 14, 2024 15:05:02.009903908 CET	192.168.2.22	8.8.8.8	0x3554	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.017456055 CET	192.168.2.22	8.8.8.8	0xe3f3	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Feb 14, 2024 15:05:07.222973108 CET	192.168.2.22	8.8.8.8	0xddd4	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:07.256589890 CET	192.168.2.22	8.8.8.8	0x58ef	Standard query (0)	www.google.com	65	IN (0x0001)	false
Feb 14, 2024 15:05:08.594166994 CET	192.168.2.22	8.8.8.8	0x22be	Standard query (0)	m365cdn.nel.measure.office.net	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:08.594521046 CET	192.168.2.22	8.8.8.8	0x6a18	Standard query (0)	m365cdn.nel.measure.office.net	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 14, 2024 15:05:02.107657909 CET	8.8.8.8	192.168.2.22	0xd986	No error (0)	accounts.google.com		142.250.12.84	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.113924026 CET	8.8.8.8	192.168.2.22	0x3554	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2024 15:05:02.113924026 CET	8.8.8.8	192.168.2.22	0x3554	No error (0)	clients.l.google.com		172.253.126.102	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.113924026 CET	8.8.8.8	192.168.2.22	0x3554	No error (0)	clients.l.google.com		172.253.126.113	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.113924026 CET	8.8.8.8	192.168.2.22	0x3554	No error (0)	clients.l.google.com		172.253.126.138	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.113924026 CET	8.8.8.8	192.168.2.22	0x3554	No error (0)	clients.l.google.com		172.253.126.100	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.113924026 CET	8.8.8.8	192.168.2.22	0x3554	No error (0)	clients.l.google.com		172.253.126.101	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.113924026 CET	8.8.8.8	192.168.2.22	0x3554	No error (0)	clients.l.google.com		172.253.126.139	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:02.121704102 CET	8.8.8.8	192.168.2.22	0xe3f3	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2024 15:05:07.329787970 CET	8.8.8.8	192.168.2.22	0xddd4	No error (0)	www.google.com		142.250.12.104	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:07.329787970 CET	8.8.8.8	192.168.2.22	0xddd4	No error (0)	www.google.com		142.250.12.106	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:07.329787970 CET	8.8.8.8	192.168.2.22	0xddd4	No error (0)	www.google.com		142.250.12.147	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:07.329787970 CET	8.8.8.8	192.168.2.22	0xddd4	No error (0)	www.google.com		142.250.12.99	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:07.329787970 CET	8.8.8.8	192.168.2.22	0xddd4	No error (0)	www.google.com		142.250.12.103	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:07.329787970 CET	8.8.8.8	192.168.2.22	0xddd4	No error (0)	www.google.com		142.250.12.105	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:05:07.358967066 CET	8.8.8.8	192.168.2.22	0x58ef	No error (0)	www.google.com			65	IN (0x0001)	false
Feb 14, 2024 15:05:08.698159933 CET	8.8.8.8	192.168.2.22	0x6a18	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2024 15:05:08.698295116 CET	8.8.8.8	192.168.2.22	0x22be	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	142.250.12.84	443	2036	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-14 14:05:02 UTC	785	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
2024-02-14 14:05:02 UTC	1	OUT	Data Raw: 20 Data Ascii:
2024-02-14 14:05:02 UTC	1799	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 14 Feb 2024 14:05:02 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-qWQK0ebVzvIcJ-xvJVk1Tw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin reporting-endpoints: default="/_/IdentityListAccountsHttp/web-reports?context=eJzjMtDikmII1JBiOHxtB5Meyy0mIyCe2_2UaSEQH4x7znQUiHf4eLA4pc9gDQFiIR6Ovomb17EJ3Lj06zkTALb9F_w" Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-14 14:05:02 UTC	23	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2024-02-14 14:05:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	172.253.126.102	443	2036	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-14 14:05:02 UTC	732	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=109.0.5414.120&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-109.0.5414.120 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-02-14 14:05:02 UTC	732	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-UrkuDfjiM_G7paLKJykYtA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 14 Feb 2024 14:05:02 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6253 X-Daystart: 21902 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-14 14:05:02 UTC	520	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 32 35 33 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 31 39 30 32 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6253" elapsed_seconds="21902"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2024-02-14 14:05:02 UTC	200	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2024-02-14 14:05:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	15:04:58
Start date:	14/02/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x13f030000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:04:59
Start date:	14/02/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1208,i,4268960282646367945,8426501699898787135,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x13f030000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:05:01
Start date:	14/02/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_Scripts/OneNoteDS.js
Imagebase:	0x13f030000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_scriΡts/OneNoteDS.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 2944, Parent PID: 2196

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

Process Activities

Process Created

Windows Analysis Report
https://res-1.cdn.office.net/officeonline/o/s/hA3DA932CBFE26BE2_App_scriΡts/OneNoteDS.js