Edit tour

Windows Analysis Report
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$

Overview

General Information

Sample URL:	https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$
Analysis ID:	1447154
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4144 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,8042035595341962039,8795045047212554398,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49748 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$ HTTP/1.1Host: us-phishalarm-ewt.proofpoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /EWT/v1/Site.css HTTP/1.1Host: us-phishalarm-ewt.proofpoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /EWT/v1/Scripts/jquery-3.4.1.js HTTP/1.1Host: us-phishalarm-ewt.proofpoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /EWT/v1/Scripts/error_translations.js HTTP/1.1Host: us-phishalarm-ewt.proofpoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /EWT/v1/jslog.js HTTP/1.1Host: us-phishalarm-ewt.proofpoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /EWT/v1/images/pfpt-logo.png HTTP/1.1Host: us-phishalarm-ewt.proofpoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: us-phishalarm-ewt.proofpoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /EWT/v1/images/pfpt-logo.png HTTP/1.1Host: us-phishalarm-ewt.proofpoint.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: us-phishalarm-ewt.proofpoint.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 12:46:40 GMTContent-Length: 0Connection: closeServer: nginxX-PFPT-ApiTraceId: 9f6732da-e098-493e-b58b-772af077067a

Source: chromecache_51.2.dr, chromecache_50.2.dr	String found in binary or memory: http://www.gimp.org/xmp/
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.jquery.com/ticket/12359
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.jquery.com/ticket/13378
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.jquery.com/ticket/13393
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.jquery.com/ticket/4833
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=136851
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
Source: chromecache_46.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: chromecache_46.2.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: chromecache_46.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: chromecache_46.2.dr	String found in binary or memory: https://drafts.csswg.org/cssom/#common-serializing-idioms
Source: chromecache_46.2.dr	String found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
Source: chromecache_46.2.dr	String found in binary or memory: https://github.com/eslint/eslint/issues/3229
Source: chromecache_46.2.dr	String found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: chromecache_46.2.dr	String found in binary or memory: https://github.com/whatwg/html/issues/2369
Source: chromecache_46.2.dr	String found in binary or memory: https://html.spec.whatwg.org/#nonce-attributes
Source: chromecache_46.2.dr	String found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
Source: chromecache_46.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#category-listed
Source: chromecache_46.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled
Source: chromecache_46.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
Source: chromecache_46.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled
Source: chromecache_46.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
Source: chromecache_46.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Source: chromecache_46.2.dr	String found in binary or memory: https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
Source: chromecache_46.2.dr	String found in binary or memory: https://jquery.com/
Source: chromecache_46.2.dr	String found in binary or memory: https://jquery.org/license
Source: chromecache_46.2.dr	String found in binary or memory: https://js.foundation/
Source: chromecache_46.2.dr	String found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
Source: chromecache_46.2.dr	String found in binary or memory: https://jsperf.com/thor-indexof-vs-for/5
Source: chromecache_48.2.dr	String found in binary or memory: https://localhost:44360/k8s/o365/AppRead/Home/Functions.js:25:30)
Source: chromecache_46.2.dr	String found in binary or memory: https://promisesaplus.com/#point-48
Source: chromecache_46.2.dr	String found in binary or memory: https://promisesaplus.com/#point-54
Source: chromecache_46.2.dr	String found in binary or memory: https://promisesaplus.com/#point-57
Source: chromecache_46.2.dr	String found in binary or memory: https://promisesaplus.com/#point-59
Source: chromecache_46.2.dr	String found in binary or memory: https://promisesaplus.com/#point-61
Source: chromecache_46.2.dr	String found in binary or memory: https://promisesaplus.com/#point-64
Source: chromecache_46.2.dr	String found in binary or memory: https://promisesaplus.com/#point-75
Source: chromecache_46.2.dr	String found in binary or memory: https://sizzlejs.com/
Source: chromecache_52.2.dr	String found in binary or memory: https://us-phishalarm-ewt.securityeducation.com/api/Workflow/ProcessWorkflow
Source: chromecache_46.2.dr	String found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: chromecache_46.2.dr	String found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49748 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@16/13@6/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,8042035595341962039,8795045047212554398,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,8042035595341962039,8795045047212554398,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://bugs.webkit.org/show_bug.cgi?id=136851	0%	URL Reputation	safe
https://jsperf.com/thor-indexof-vs-for/5	0%	URL Reputation	safe
https://bugs.jquery.com/ticket/12359	0%	URL Reputation	safe
https://bugs.jquery.com/ticket/12359	0%	URL Reputation	safe
http://www.gimp.org/xmp/	0%	URL Reputation	safe
https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/	0%	URL Reputation	safe
https://html.spec.whatwg.org/#strip-and-collapse-whitespace	0%	URL Reputation	safe
https://promisesaplus.com/#point-75	0%	URL Reputation	safe
https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a	0%	URL Reputation	safe
https://drafts.csswg.org/cssom/#common-serializing-idioms	0%	URL Reputation	safe
https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled	0%	URL Reputation	safe
https://bugs.webkit.org/show_bug.cgi?id=29084	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace	0%	URL Reputation	safe
https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled	0%	URL Reputation	safe
https://bugs.chromium.org/p/chromium/issues/detail?id=378607	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=687787	0%	URL Reputation	safe
https://bugs.chromium.org/p/chromium/issues/detail?id=470258	0%	URL Reputation	safe
https://bugs.jquery.com/ticket/13378	0%	URL Reputation	safe
https://promisesaplus.com/#point-64	0%	URL Reputation	safe
https://promisesaplus.com/#point-61	0%	URL Reputation	safe
https://drafts.csswg.org/cssom/#resolved-values	0%	URL Reputation	safe
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Scripts/error_translations.js	0%	Avira URL Cloud	safe
https://bugs.chromium.org/p/chromium/issues/detail?id=589347	0%	URL Reputation	safe
https://html.spec.whatwg.org/#nonce-attributes	0%	URL Reputation	safe
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2	0%	URL Reputation	safe
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/jslog.js	0%	Avira URL Cloud	safe
https://us-phishalarm-ewt.securityeducation.com/api/Workflow/ProcessWorkflow	0%	Avira URL Cloud	safe
https://promisesaplus.com/#point-59	0%	URL Reputation	safe
https://jsperf.com/getall-vs-sizzle/2	0%	URL Reputation	safe
https://promisesaplus.com/#point-57	0%	URL Reputation	safe
https://promisesaplus.com/#point-54	0%	URL Reputation	safe
https://html.spec.whatwg.org/multipage/forms.html#category-listed	0%	URL Reputation	safe
https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled	0%	URL Reputation	safe
https://localhost:44360/k8s/o365/AppRead/Home/Functions.js:25:30)	0%	Avira URL Cloud	safe
https://developer.mozilla.org/en-US/docs/CSS/display	0%	URL Reputation	safe
https://jquery.org/license	0%	URL Reputation	safe
https://jquery.com/	0%	URL Reputation	safe
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Site.css	0%	Avira URL Cloud	safe
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Scripts/jquery-3.4.1.js	0%	Avira URL Cloud	safe
https://bugs.webkit.org/show_bug.cgi?id=137337	0%	URL Reputation	safe
https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled	0%	URL Reputation	safe
https://promisesaplus.com/#point-48	0%	URL Reputation	safe
https://bugs.jquery.com/ticket/4833	0%	URL Reputation	safe
https://sizzlejs.com/	0%	URL Reputation	safe
https://bugs.chromium.org/p/chromium/issues/detail?id=449857	0%	URL Reputation	safe
https://js.foundation/	0%	URL Reputation	safe
https://bugs.jquery.com/ticket/13393	0%	URL Reputation	safe
https://github.com/eslint/eslint/issues/3229	0%	Avira URL Cloud	safe
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/images/pfpt-logo.png	0%	Avira URL Cloud	safe
https://us-phishalarm-ewt.securityeducation.com/api/Workflow/ProcessWorkflow	0%	Virustotal		Browse
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Scripts/error_translations.js	0%	Virustotal		Browse
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Scripts/jquery-3.4.1.js	0%	Virustotal		Browse
https://us-phishalarm-ewt.proofpoint.com/favicon.ico	0%	Avira URL Cloud	safe
https://github.com/eslint/eslint/issues/3229	0%	Virustotal		Browse
https://github.com/jquery/sizzle/pull/225	0%	Avira URL Cloud	safe
https://github.com/whatwg/html/issues/2369	0%	Avira URL Cloud	safe
https://us-phishalarm-ewt.proofpoint.com/favicon.ico	0%	Virustotal		Browse
https://github.com/jquery/sizzle/pull/225	0%	Virustotal		Browse
https://github.com/whatwg/html/issues/2369	0%	Virustotal		Browse
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Site.css	0%	Virustotal		Browse
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/images/pfpt-logo.png	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us-phishalarm-ewt.securityeducation.com	50.17.48.180	true	false	unknown
www.google.com	142.250.184.196	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
us-phishalarm-ewt.proofpoint.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Scripts/error_translations.js	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/jslog.js	false	Avira URL Cloud: safe	unknown
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Site.css	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Scripts/jquery-3.4.1.js	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$	false		unknown
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/images/pfpt-logo.png	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://us-phishalarm-ewt.proofpoint.com/favicon.ico	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bugs.webkit.org/show_bug.cgi?id=136851	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://jsperf.com/thor-indexof-vs-for/5	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.jquery.com/ticket/12359	chromecache_46.2.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.gimp.org/xmp/	chromecache_51.2.dr, chromecache_50.2.dr	false	URL Reputation: safe	unknown
https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/#strip-and-collapse-whitespace	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://us-phishalarm-ewt.securityeducation.com/api/Workflow/ProcessWorkflow	chromecache_52.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://promisesaplus.com/#point-75	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://drafts.csswg.org/cssom/#common-serializing-idioms	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.webkit.org/show_bug.cgi?id=29084	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://localhost:44360/k8s/o365/AppRead/Home/Functions.js:25:30)	chromecache_48.2.dr	false	Avira URL Cloud: safe	unknown
https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.chromium.org/p/chromium/issues/detail?id=378607	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=687787	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.chromium.org/p/chromium/issues/detail?id=470258	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.jquery.com/ticket/13378	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-64	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-61	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://drafts.csswg.org/cssom/#resolved-values	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.chromium.org/p/chromium/issues/detail?id=589347	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/#nonce-attributes	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-59	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://jsperf.com/getall-vs-sizzle/2	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-57	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://github.com/eslint/eslint/issues/3229	chromecache_46.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://promisesaplus.com/#point-54	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/forms.html#category-listed	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/CSS/display	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://jquery.org/license	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://jquery.com/	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.webkit.org/show_bug.cgi?id=137337	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-48	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://github.com/jquery/sizzle/pull/225	chromecache_46.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bugs.jquery.com/ticket/4833	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://github.com/whatwg/html/issues/2369	chromecache_46.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sizzlejs.com/	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.chromium.org/p/chromium/issues/detail?id=449857	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://js.foundation/	chromecache_46.2.dr	false	URL Reputation: safe	unknown
https://bugs.jquery.com/ticket/13393	chromecache_46.2.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.1.130.164	unknown	United States	14618	AMAZON-AESUS	false
50.17.48.180	us-phishalarm-ewt.securityeducation.com	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447154
Start date and time:	2024-05-24 14:45:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@16/13@6/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 142.250.184.206, 142.250.110.84, 34.104.35.123, 40.127.169.103, 93.184.221.240, 13.95.31.18, 192.229.221.95, 20.3.187.198, 142.250.186.131
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 46

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	278263
Entropy (8bit):	5.066072968014419
Encrypted:	false
SSDEEP:	6144:V0Hh4V/Y+TCtlIhTze/RZcYmDvzK8m/7EtPx+WI+Y7cFys/CL/+uQxN0IPfKuGA7:atZcYmDhOgPx+WI+Y7cFycuq1PfQAv5t
MD5:	1BA1DA82F856A8AA3A70094C4B2A422D
SHA1:	2A317158FE86666A5FBE648F8306664500EF1AD4
SHA-256:	473D8B7B423BBF82EC960FACF3E4E8F739DBE9BD6E88008D89FE580E06EC61E8
SHA-512:	2AA77F283DB88C874606BBC1D83EE7DB326189030CC641EF84BF05E0420A09636811C22A0DBA08F86DEDC99F7425651BE0B3F7AA23C011827643935498D80319
Malicious:	false
Reputation:	low
URL:	https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Scripts/jquery-3.4.1.js
Preview:	/!. jQuery JavaScript Library v3.4.1. * https://jquery.com/. . Includes Sizzle.js. * https://sizzlejs.com/. . Copyright JS Foundation and other contributors. * Released under the MIT license. * https://jquery.org/license. . Date: 2019-05-01T21:04Z. */.( function( global, factory ) {..."use strict";...if ( typeof module === "object" && typeof module.exports === "object" ) {....// For CommonJS and CommonJS-like environments where a proper `window`...// is present, execute the factory and get jQuery....// For environments that do not have a `window` with a `document`...// (such as Node.js), expose a factory as module.exports....// This accentuates the need for the creation of a real `window`....// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info....module.exports = global.document ?....factory( global, true ) :....function( w ) {.....if ( !w.document ) {......throw new Error( "jQuery requires a window with a document" );.....}.....return factor

Chrome Cache Entry: 47

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	2151
Entropy (8bit):	4.714222479262894
Encrypted:	false
SSDEEP:	48:TWgzXlMOSgoF4YYWX/S+ABva0jegyLNe/b5blv7ecqtemzpkt6dTBbTicc:iom3tYUS+SkLNe/b5blv7ec2eftKdW
MD5:	9724AD701E4A828E373ADC093EA72EF9
SHA1:	1B69EE27C3BF69DD6814757F57FCC384A9CE7088
SHA-256:	1D446AE0815B2F7C85FBB778428F4309F34D9C824AB0374BBF18B6D3CA7DAAEC
SHA-512:	623458D620688C9239F062967F86BC1BD81482278B1550FC433986A3FA7570F348F4A18737FEACEC5BA0C1AABD26AB3CE163DBA1C1886877156604592A9D3273
Malicious:	false
Reputation:	low
URL:	https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Site.css
Preview:	..pfpt-pha-ewt-banner {. width: 100%;. background-color: #0277db;. color: white;. height: 38px;. position: relative;.}...pfpt-logo {. width: 12%;. float: left;. height: 36px;. min-width: 187px;.}...divider {. height: 28px;. border-left: 1px solid white;. padding: 0px 5px;. width: 1%;. float: left;. position: absolute;. top: 15%;..}...pha-banner {. height: 38px;. float: left;. font-family: Arial, Helvetica, sans-serif;. font-size: larger;. line-height: 38px;. padding-left: 5px;.}...pha-ewt-main-body {. width: 100%;.}...confirm-prompt, .decrypt-notice {. position: absolute;. left: 50%;. top: 50%;. -webkit-transform: translate(-50%, -50%);. transform: translate(-50%, -50%);. font-family: Arial, Helvetica, sans-serif;.}...ewt-confirm-text {. font-family: Arial, Helvetica, sans-serif;. font-size: large;. padding-bottom: 10px;.}...spacer {. height: 10px;.}...ewt-response {. font-family: Ar

Chrome Cache Entry: 48

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4733
Entropy (8bit):	4.296217536182897
Encrypted:	false
SSDEEP:	48:keCjGbvGbXbDxXBnwN8SwKihE2AM1bnecEZbfZSXhGWoalEJP4Sf:GvbDxx4ihE21bnRobhwoSEJPr
MD5:	04EAAF189D358A593AC21DEB73110177
SHA1:	B9F3AA1C9CADED4E671A5D61BA9D23FAC78AA1CB
SHA-256:	DF89E8FDD0A34376668408627CA76F301C3C953B7313DF09B087FB44B0C305FE
SHA-512:	226BB89BF00C5BADE0CCF218A835A0E7A87D62D01CD4B0BED151C8C252A0C5335508F11D1C549B5059C88C693C86033F602F997F2290448712555CB0A2F40318
Malicious:	false
Reputation:	low
URL:	https://us-phishalarm-ewt.proofpoint.com/EWT/v1/jslog.js
Preview:	!(function scriptInit (window) {.. var customProps = {}, _url = '/js', _headers = {};.. function report(message, ex, severity) {.. try {.. var msg = typeof message === 'string' ? message : typeof ex === 'message' ? ex : '';.. var error = ex instanceof Error ? ex : message instanceof Error ? message : null;.. var lineNumber = 0, callerFile = '', callerFunction = '', payload = {}, errorTypeName = error ? error.name : null;.. if (error) {.. severity = 'error';.. }.. if (error && !msg) {.. msg = error.message;.. }.. if (!error) {.. error = new Error(); // for getting the stack trace.. }.... // attempt to find the originating local code first (for reporting the offending method/line number), if this ultimately stems from our own code.. // else, just use the first file to appear in the stack trace.. var s

Chrome Cache Entry: 49

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	84638
Entropy (8bit):	5.8846252380152055
Encrypted:	false
SSDEEP:	768:MnLIX6QyOmaS3Z1l2n67IMzbZwaFDDpucviP+ZJot9wY+9ZRP2GPS9erCfbr5qGA:MnrQDUrzKiD7JJB4GPrAA/2i
MD5:	522648A8F33747EF0DC3C4D7B5359B2C
SHA1:	348417A05D38AD3DE3AFF720A4AADA3431AF0B8A
SHA-256:	A06CAF9ACDCE8AF6B9239C37C313793002AC6D475E78796E75EB4BDB3DCB5DFF
SHA-512:	1E99EF61759D74B679E3ADFF7530EE7BC99CFB88B1601E877E0B9998067E764EAA5336C74FCFA3FD7CC00031BD787E76DFDCBDD7C5EF13A61E97E122A22683CE
Malicious:	false
Reputation:	low
URL:	https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Scripts/error_translations.js
Preview:	.const ErrorCodes = {. 0: "DEFAULT",. 1: "NO_CREDENTIALS",. 2: "NO_HEADERS",. 3: "INVALID_CREDENTIALS",. 4: "INVALID_REGISTRATION",. 5: "NO_EMAIL",. // 6-7 are for future expansion. 8: "CACHED_EMAIL_GONE",. 9: "DL_ERROR",. 10: "NON_EXISTENT_MAILBOX".};..const InfoCodes = {. 0: "EMAIL_RETRIEVE",. 1: "WORKING",. 2: "WAITING",. 3: "CANCEL1",. 4: "CANCEL2".};..const InfoMessages = {. "EMAIL_RETRIEVE": {. "EN-US": "Retrieving the reported email.",. "AR-EG": "....... ....... ..... ...... .......... ...... ....",. "BG-BG": "....... .. ............ ......",. "CS-CZ": "Prob.h. na..t.n. nahl..en.ho e-mailu.",. "DA-DK": "Henter den rapporterede e-mail...",. "DE-DE": "Gemeldete E-Mail wird abgerufen...",. "EL-GR": "........ ... email ... ..........",. "EN-AU": "Retrieving the reported em

Chrome Cache Entry: 50

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 125 x 34, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5851
Entropy (8bit):	5.572647065027471
Encrypted:	false
SSDEEP:	96:iSm27nFEUOk0IrL3Wnxat2wWk/VWShUMIuPfSC2RSod:5TF0k4cYShuuPfS/1d
MD5:	5B241FAD097F4DF400287C6A4EC6B933
SHA1:	8B44C93602FEC56902DEC102CBB59F625095AF02
SHA-256:	89C0E9DFEF69A83D84570661301662CE0D39DF506BC687C7B87DC80984683115
SHA-512:	AA47ABA9C175D576CC5FD844BB7A8C71031DF84051A39B08F5E6DCB008F7EDA6BBA1EE99A2BBC23CFE0B1830F40F6A16474C216BD8266FD57303A34DF6E4DF9A
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...}...".....rX......zTXtRaw profile type exif..x.mP[.. ...)v..(....v.....S.f)......\|.C......V..x.hG.dG>P..x..H.....q...g.?..h`....!..P-...(..>Q.1!.0R...A..J.z.~a....A=..c.....-xGEveM.6...J.@.2+..^..m..a......z.2pYN...&....iCCPICC profile..x.}.=H.@.._S..-.v.q.P]...8.*..Bi+..`r..!Iqq.\..~,V.\.uup.....W.'E.)..I.E....xw.q.......]1@.,#.......xE.}.a...3.df!...u.._.<...#..L..D.....x.xf..9...YYR..'.. .#.e..8...xf.....b....feC%.&.(.F.B.e...g.Rc.{.....r..4G..".HA...6P..(..)&.....;...drm..c.U...?.....,NM.I.8..b...@`.h.m....'.......j...$..."G@.6pq...=.r..z.%Cr$?M.X.......-............n..C`.D.k.......3..~...r...8....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 4.4.0-Exiv2">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/Resou

Chrome Cache Entry: 51

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 125 x 34, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	5851
Entropy (8bit):	5.572647065027471
Encrypted:	false
SSDEEP:	96:iSm27nFEUOk0IrL3Wnxat2wWk/VWShUMIuPfSC2RSod:5TF0k4cYShuuPfS/1d
MD5:	5B241FAD097F4DF400287C6A4EC6B933
SHA1:	8B44C93602FEC56902DEC102CBB59F625095AF02
SHA-256:	89C0E9DFEF69A83D84570661301662CE0D39DF506BC687C7B87DC80984683115
SHA-512:	AA47ABA9C175D576CC5FD844BB7A8C71031DF84051A39B08F5E6DCB008F7EDA6BBA1EE99A2BBC23CFE0B1830F40F6A16474C216BD8266FD57303A34DF6E4DF9A
Malicious:	false
Reputation:	low
URL:	https://us-phishalarm-ewt.proofpoint.com/EWT/v1/images/pfpt-logo.png
Preview:	.PNG........IHDR...}...".....rX......zTXtRaw profile type exif..x.mP[.. ...)v..(....v.....S.f)......\|.C......V..x.hG.dG>P..x..H.....q...g.?..h`....!..P-...(..>Q.1!.0R...A..J.z.~a....A=..c.....-xGEveM.6...J.@.2+..^..m..a......z.2pYN...&....iCCPICC profile..x.}.=H.@.._S..-.v.q.P]...8.*..Bi+..`r..!Iqq.\..~,V.\.uup.....W.'E.)..I.E....xw.q.......]1@.,#.......xE.}.a...3.df!...u.._.<...#..L..D.....x.xf..9...YYR..'.. .#.e..8...xf.....b....feC%.&.(.F.B.e...g.Rc.{.....r..4G..".HA...6P..(..)&.....;...drm..c.U...?.....,NM.I.8..b...@`.h.m....'.......j...$..."G@.6pq...=.r..z.%Cr$?M.X.......-............n..C`.D.k.......3..~...r...8....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 4.4.0-Exiv2">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/Resou

Chrome Cache Entry: 52

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	13603
Entropy (8bit):	4.281395497073754
Encrypted:	false
SSDEEP:	192:pA7lvMnkvyVUCk/Kij5U3vM1iQVPK3PSX0jhiSRIPhzWyoQuZzJARA3wVUOE+BS:G75jKA0jV3JAO3UHE+Y
MD5:	24E6CC05813AD4619D1D4A9CB991D319
SHA1:	74FE6A1FA8C7169A3158B3FC62F6D8A2B1A6936F
SHA-256:	D4997E4375819F3B88707789AF2EA77A7D5F248E321083873219850BBB127C81
SHA-512:	A4BBBDAA87E76BB3DDF6A3E4F546665C4F75BA3EF13D0B702F4FA3C0ACB32670F9C6B00A42A657FCD3C59DD1AFCE457A82E3049204D0E14072048481EECD587B
Malicious:	false
Reputation:	low
URL:	https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta charset="utf-8" />. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <title translate="no" class="notranslate">PhishAlarm</title>. <link rel="stylesheet" href="/EWT/v1/Site.css" />.</head>.<body>. <script src="/EWT/v1/Scripts/jquery-3.4.1.js" asp-append-version="true"></script>. <script src="/EWT/v1/Scripts/error_translations.js"></script>. . <script src="/EWT/v1/jslog.js"></script>. <script>. if (window.JSLog) {. window.JSLog.init('/EWT/v1/js', {. 'X-PFPT-TraceId': 'bcdb7875-7d88-4b3c-a995-d820b5397e55'. });. }.. var traceId = "bcdb7875-7d88-4b3c-a995-d820b5397e55";. var workflowUrl = "https://us-phishalarm-ewt.securityeducation.com/api/Workflow/ProcessWorkflow";. var decryptedParams = "?messageId=%3CNn-jKOZCQPW05zi4hV5Orw%40geopod-ismtpd-18%3E&userEmailAddress=ccasali%40cedarpoint.com&clusterId=cedarfair_hosted&compan

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 14:46:29.243587017 CEST	49675	443	192.168.2.4	173.222.162.32
May 24, 2024 14:46:37.156941891 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.156976938 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.157042980 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.157476902 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.157493114 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.158034086 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.158123970 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.158201933 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.158389091 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.158421993 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.806607008 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.808083057 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.808490038 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.808510065 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.808653116 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.808717012 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.809478998 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.809557915 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.810399055 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.810583115 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.811234951 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.811306953 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.811614037 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.811626911 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.811758041 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.811860085 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:37.853884935 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.932372093 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:37.932405949 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.041878939 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.250411987 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.250441074 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.250452042 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.250468969 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.250513077 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.250619888 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.250621080 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.250679970 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.250710011 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.251925945 CEST	49735	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.251951933 CEST	443	49735	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.279762983 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.279846907 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.280258894 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.280278921 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.280308008 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.280361891 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.281033039 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.281078100 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.281234026 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.281234026 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.281266928 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.281409979 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.281593084 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.281790972 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.281817913 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.282038927 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.282062054 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.282226086 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.282246113 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.282406092 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.282427073 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.322508097 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.406296015 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.406361103 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.406527996 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.406591892 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.406636953 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.406703949 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.407751083 CEST	49736	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.407788038 CEST	443	49736	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.848222971 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.848324060 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.848443031 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.848745108 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.848757029 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.848788023 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.848929882 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.848958015 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.849114895 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.849126101 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.849296093 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.849302053 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.849313974 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.849594116 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.849790096 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.849915981 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.850099087 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.850172043 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.850924969 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.851010084 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.851120949 CEST	49675	443	192.168.2.4	173.222.162.32
May 24, 2024 14:46:38.851526022 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.851639032 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.855815887 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.855885029 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.856264114 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.856338024 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.856410027 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.856491089 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.856723070 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.856735945 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.856951952 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.856961012 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.902507067 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.902528048 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:38.908162117 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:38.908163071 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.053790092 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.053813934 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.053821087 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.053889036 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.053927898 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.053950071 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.053987980 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.077584028 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.077649117 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.077668905 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.077703953 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.077732086 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.077765942 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.077790022 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.077819109 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.077864885 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.109744072 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.109805107 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.109848976 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.109904051 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.109986067 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.110028028 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.110055923 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.123344898 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.123394012 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.123464108 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.123481035 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.123538971 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.142225981 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.142251015 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.142268896 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.142507076 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.142584085 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.142669916 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.155551910 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.155572891 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.155828953 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.155914068 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.163877010 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.195863962 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.196393967 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.196444035 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.196496964 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.196513891 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.196562052 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.196585894 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.203521013 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.203542948 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.203620911 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.203641891 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.203680992 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.203701019 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.209247112 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.209264994 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.209332943 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.209346056 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.209392071 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.209420919 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.234375954 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.234394073 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.234538078 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.234601021 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.234671116 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.240144968 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.240159035 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.240278006 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.240294933 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.240362883 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.245675087 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.245688915 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.245783091 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.245795965 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.245856047 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.247148991 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.247205973 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.247217894 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.247251987 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.247271061 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.247302055 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.282004118 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.282028913 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.282219887 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.282221079 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.282291889 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.282351017 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.286072016 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.286092043 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.286153078 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.286171913 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.286221981 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.286248922 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.290749073 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.290770054 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.290826082 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.290841103 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.290899992 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.290920019 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.297209024 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.297503948 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.299870014 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.299917936 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.299962044 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.299978971 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.300035000 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.300055027 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.304163933 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.304208040 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.304255009 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.304269075 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.304338932 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.322633028 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.322730064 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.334151030 CEST	49740	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.334186077 CEST	443	49740	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.338627100 CEST	49741	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.338641882 CEST	443	49741	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.368050098 CEST	49739	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.368081093 CEST	443	49739	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.370671034 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.370692015 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.370740891 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.370755911 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.370793104 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.370816946 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.374947071 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.374967098 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.375024080 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.375037909 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.375091076 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.375111103 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.377913952 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.377934933 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.377995968 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.378010035 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.378047943 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.378073931 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.381095886 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.381114006 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.381167889 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.381181002 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.381230116 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.381253958 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.383610964 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.383630037 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.383698940 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.383713007 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.383759975 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.386526108 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.386544943 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.386604071 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.386616945 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.386657000 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.386679888 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.389936924 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.389959097 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.390013933 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.390026093 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.390054941 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.390080929 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.390105963 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.394123077 CEST	49738	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.394139051 CEST	443	49738	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.632531881 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.632574081 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.632652044 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.637176037 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:39.637193918 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:39.745954037 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:39.745992899 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:39.746062040 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:39.746743917 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:39.746754885 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.145109892 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:40.194956064 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:40.215080976 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:40.215094090 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:40.215696096 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:40.218307972 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:40.218395948 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:40.220073938 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:40.238620043 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:40.238648891 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:40.238751888 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:40.239870071 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:40.239893913 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:40.266510010 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:40.331443071 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:40.331527948 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:40.331576109 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:40.335464954 CEST	49743	443	192.168.2.4	50.17.48.180
May 24, 2024 14:46:40.335484028 CEST	443	49743	50.17.48.180	192.168.2.4
May 24, 2024 14:46:40.401581049 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.426400900 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:40.426414013 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.427476883 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.427571058 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:40.525497913 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:40.525636911 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.526691914 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:40.526701927 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.570700884 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:40.896038055 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.896070004 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.896080971 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.896166086 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.896286964 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:40.896517038 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:40.897619009 CEST	49744	443	192.168.2.4	52.1.130.164
May 24, 2024 14:46:40.897635937 CEST	443	49744	52.1.130.164	192.168.2.4
May 24, 2024 14:46:40.905386925 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:40.905426979 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:40.905601978 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:40.907707930 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:40.907723904 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:40.915585995 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:40.920586109 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:40.920608044 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:40.922065020 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:40.922404051 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:40.940023899 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:40.940232038 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:40.993164062 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:40.993172884 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:41.040050030 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:41.608726978 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:41.609081030 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:41.620122910 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:41.620146990 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:41.620559931 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:41.665040016 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:41.768172026 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:41.814496994 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:41.963170052 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:41.963234901 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:41.963277102 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:41.963644981 CEST	49746	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:41.963664055 CEST	443	49746	2.19.244.127	192.168.2.4
May 24, 2024 14:46:42.009674072 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:42.009711027 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:42.009773016 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:42.010838985 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:42.010853052 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:42.705234051 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:42.705324888 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:42.715502977 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:42.715523958 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:42.716279030 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:42.720331907 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:42.766501904 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:42.998608112 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:42.998790979 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:43.002062082 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:43.002062082 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:43.002099991 CEST	49748	443	192.168.2.4	2.19.244.127
May 24, 2024 14:46:43.002115011 CEST	443	49748	2.19.244.127	192.168.2.4
May 24, 2024 14:46:50.807179928 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:50.807338953 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:50.807426929 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:52.206037998 CEST	49745	443	192.168.2.4	142.250.184.196
May 24, 2024 14:46:52.206070900 CEST	443	49745	142.250.184.196	192.168.2.4
May 24, 2024 14:46:53.131469011 CEST	49723	80	192.168.2.4	199.232.214.172
May 24, 2024 14:46:53.139446974 CEST	80	49723	199.232.214.172	192.168.2.4
May 24, 2024 14:46:53.139518976 CEST	49723	80	192.168.2.4	199.232.214.172
May 24, 2024 14:47:32.009763956 CEST	49724	80	192.168.2.4	199.232.210.172
May 24, 2024 14:47:32.071357012 CEST	80	49724	199.232.210.172	192.168.2.4
May 24, 2024 14:47:32.071435928 CEST	49724	80	192.168.2.4	199.232.210.172
May 24, 2024 14:47:40.260101080 CEST	49757	443	192.168.2.4	142.250.184.196
May 24, 2024 14:47:40.260138035 CEST	443	49757	142.250.184.196	192.168.2.4
May 24, 2024 14:47:40.260205984 CEST	49757	443	192.168.2.4	142.250.184.196
May 24, 2024 14:47:40.260473967 CEST	49757	443	192.168.2.4	142.250.184.196
May 24, 2024 14:47:40.260499001 CEST	443	49757	142.250.184.196	192.168.2.4
May 24, 2024 14:47:40.924961090 CEST	443	49757	142.250.184.196	192.168.2.4
May 24, 2024 14:47:40.925251961 CEST	49757	443	192.168.2.4	142.250.184.196
May 24, 2024 14:47:40.925280094 CEST	443	49757	142.250.184.196	192.168.2.4
May 24, 2024 14:47:40.925590038 CEST	443	49757	142.250.184.196	192.168.2.4
May 24, 2024 14:47:40.925977945 CEST	49757	443	192.168.2.4	142.250.184.196
May 24, 2024 14:47:40.926031113 CEST	443	49757	142.250.184.196	192.168.2.4
May 24, 2024 14:47:40.977834940 CEST	49757	443	192.168.2.4	142.250.184.196
May 24, 2024 14:47:50.821290970 CEST	443	49757	142.250.184.196	192.168.2.4
May 24, 2024 14:47:50.821348906 CEST	443	49757	142.250.184.196	192.168.2.4
May 24, 2024 14:47:50.821458101 CEST	49757	443	192.168.2.4	142.250.184.196
May 24, 2024 14:47:52.189090967 CEST	49757	443	192.168.2.4	142.250.184.196
May 24, 2024 14:47:52.189110041 CEST	443	49757	142.250.184.196	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 14:46:36.006788969 CEST	53	57413	1.1.1.1	192.168.2.4
May 24, 2024 14:46:36.080629110 CEST	53	51770	1.1.1.1	192.168.2.4
May 24, 2024 14:46:37.086385965 CEST	53845	53	192.168.2.4	1.1.1.1
May 24, 2024 14:46:37.086642027 CEST	59822	53	192.168.2.4	1.1.1.1
May 24, 2024 14:46:37.140309095 CEST	53	53845	1.1.1.1	192.168.2.4
May 24, 2024 14:46:37.200850964 CEST	53	65516	1.1.1.1	192.168.2.4
May 24, 2024 14:46:37.222974062 CEST	53	59822	1.1.1.1	192.168.2.4
May 24, 2024 14:46:39.648561001 CEST	51113	53	192.168.2.4	1.1.1.1
May 24, 2024 14:46:39.649317980 CEST	51756	53	192.168.2.4	1.1.1.1
May 24, 2024 14:46:39.723453045 CEST	53	51113	1.1.1.1	192.168.2.4
May 24, 2024 14:46:39.876365900 CEST	53	51756	1.1.1.1	192.168.2.4
May 24, 2024 14:46:40.221846104 CEST	57024	53	192.168.2.4	1.1.1.1
May 24, 2024 14:46:40.222172976 CEST	61153	53	192.168.2.4	1.1.1.1
May 24, 2024 14:46:40.234632969 CEST	53	57024	1.1.1.1	192.168.2.4
May 24, 2024 14:46:40.234651089 CEST	53	61153	1.1.1.1	192.168.2.4
May 24, 2024 14:46:43.173887968 CEST	138	138	192.168.2.4	192.168.2.255
May 24, 2024 14:46:54.287307978 CEST	53	57112	1.1.1.1	192.168.2.4
May 24, 2024 14:47:13.205610037 CEST	53	60855	1.1.1.1	192.168.2.4
May 24, 2024 14:47:35.581721067 CEST	53	49776	1.1.1.1	192.168.2.4
May 24, 2024 14:47:36.558779955 CEST	53	65207	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 24, 2024 14:46:37.223038912 CEST	192.168.2.4	1.1.1.1	c279	(Port unreachable)	Destination Unreachable
May 24, 2024 14:46:39.876523972 CEST	192.168.2.4	1.1.1.1	c279	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 14:46:37.086385965 CEST	192.168.2.4	1.1.1.1	0x92d0	Standard query (0)	us-phishalarm-ewt.proofpoint.com	A (IP address)	IN (0x0001)	false
May 24, 2024 14:46:37.086642027 CEST	192.168.2.4	1.1.1.1	0x3220	Standard query (0)	us-phishalarm-ewt.proofpoint.com	65	IN (0x0001)	false
May 24, 2024 14:46:39.648561001 CEST	192.168.2.4	1.1.1.1	0x556	Standard query (0)	us-phishalarm-ewt.proofpoint.com	A (IP address)	IN (0x0001)	false
May 24, 2024 14:46:39.649317980 CEST	192.168.2.4	1.1.1.1	0x562d	Standard query (0)	us-phishalarm-ewt.proofpoint.com	65	IN (0x0001)	false
May 24, 2024 14:46:40.221846104 CEST	192.168.2.4	1.1.1.1	0x4502	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 24, 2024 14:46:40.222172976 CEST	192.168.2.4	1.1.1.1	0x256a	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 14:46:37.140309095 CEST	1.1.1.1	192.168.2.4	0x92d0	No error (0)	us-phishalarm-ewt.proofpoint.com	us-phishalarm-ewt.securityeducation.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 14:46:37.140309095 CEST	1.1.1.1	192.168.2.4	0x92d0	No error (0)	us-phishalarm-ewt.securityeducation.com		50.17.48.180	A (IP address)	IN (0x0001)	false
May 24, 2024 14:46:37.140309095 CEST	1.1.1.1	192.168.2.4	0x92d0	No error (0)	us-phishalarm-ewt.securityeducation.com		52.1.130.164	A (IP address)	IN (0x0001)	false
May 24, 2024 14:46:37.222974062 CEST	1.1.1.1	192.168.2.4	0x3220	No error (0)	us-phishalarm-ewt.proofpoint.com	us-phishalarm-ewt.securityeducation.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 14:46:39.723453045 CEST	1.1.1.1	192.168.2.4	0x556	No error (0)	us-phishalarm-ewt.proofpoint.com	us-phishalarm-ewt.securityeducation.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 14:46:39.723453045 CEST	1.1.1.1	192.168.2.4	0x556	No error (0)	us-phishalarm-ewt.securityeducation.com		52.1.130.164	A (IP address)	IN (0x0001)	false
May 24, 2024 14:46:39.723453045 CEST	1.1.1.1	192.168.2.4	0x556	No error (0)	us-phishalarm-ewt.securityeducation.com		50.17.48.180	A (IP address)	IN (0x0001)	false
May 24, 2024 14:46:39.876365900 CEST	1.1.1.1	192.168.2.4	0x562d	No error (0)	us-phishalarm-ewt.proofpoint.com	us-phishalarm-ewt.securityeducation.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 14:46:40.234632969 CEST	1.1.1.1	192.168.2.4	0x4502	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
May 24, 2024 14:46:40.234651089 CEST	1.1.1.1	192.168.2.4	0x256a	No error (0)	www.google.com			65	IN (0x0001)	false
May 24, 2024 14:46:54.453917980 CEST	1.1.1.1	192.168.2.4	0xb69c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 14:46:54.453917980 CEST	1.1.1.1	192.168.2.4	0xb69c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
May 24, 2024 14:47:09.329996109 CEST	1.1.1.1	192.168.2.4	0x6b1	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 14:47:09.329996109 CEST	1.1.1.1	192.168.2.4	0x6b1	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
May 24, 2024 14:47:28.299541950 CEST	1.1.1.1	192.168.2.4	0x5e39	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 14:47:28.299541950 CEST	1.1.1.1	192.168.2.4	0x5e39	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
May 24, 2024 14:47:48.783591986 CEST	1.1.1.1	192.168.2.4	0x84c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 14:47:48.783591986 CEST	1.1.1.1	192.168.2.4	0x84c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

us-phishalarm-ewt.proofpoint.com

https:

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	50.17.48.180	443	2716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:37 UTC	782	OUT	GET /EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$ HTTP/1.1 Host: us-phishalarm-ewt.proofpoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-24 12:46:38 UTC	215	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 12:46:38 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: nginx X-PFPT-ApiTraceId: 6971c0d5-d2cd-4721-928e-05de4efa7bcd
2024-05-24 12:46:38 UTC	13611	IN	Data Raw: 33 35 32 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 20 74 72 61 6e 73 6c 61 74 65 3d 22 6e 6f 22 20 63 6c 61 73 73 3d 22 6e 6f 74 72 61 6e 73 6c 61 74 65 22 3e 50 68 69 73 68 41 6c 61 72 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 45 57 54 2f 76 31 Data Ascii: 3523<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title translate="no" class="notranslate">PhishAlarm</title> <link rel="stylesheet" href="/EWT/v1
2024-05-24 12:46:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	50.17.48.180	443	2716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:38 UTC	685	OUT	GET /EWT/v1/Site.css HTTP/1.1 Host: us-phishalarm-ewt.proofpoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-24 12:46:38 UTC	229	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 12:46:38 GMT Content-Type: text/css Content-Length: 2151 Connection: close Server: nginx Accept-Ranges: bytes ETag: "1da7a24d01fb8e7" Last-Modified: Tue, 19 Mar 2024 17:42:29 GMT
2024-05-24 12:46:38 UTC	2151	IN	Data Raw: ef bb bf 2e 70 66 70 74 2d 70 68 61 2d 65 77 74 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 32 37 37 64 62 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 20 20 20 20 68 65 69 67 68 74 3a 20 33 38 70 78 3b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 7d 0a 0a 2e 70 66 70 74 2d 6c 6f 67 6f 20 7b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 32 25 3b 0a 20 20 20 20 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 0a 20 20 20 20 68 65 69 67 68 74 3a 20 33 36 70 78 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 31 38 37 70 78 3b 0a 7d 0a 0a 2e 64 69 76 69 64 65 72 20 7b 0a 20 20 20 20 68 65 69 67 68 74 3a 20 32 38 70 78 3b 0a Data Ascii: .pfpt-pha-ewt-banner { width: 100%; background-color: #0277db; color: white; height: 38px; position: relative;}.pfpt-logo { width: 12%; float: left; height: 36px; min-width: 187px;}.divider { height: 28px;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	50.17.48.180	443	2716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:38 UTC	686	OUT	GET /EWT/v1/Scripts/jquery-3.4.1.js HTTP/1.1 Host: us-phishalarm-ewt.proofpoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-24 12:46:39 UTC	260	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 12:46:38 GMT Content-Type: application/javascript; charset=utf-8 Content-Length: 280364 Connection: close Server: nginx Accept-Ranges: bytes ETag: "1da7a24d01bf7ac" Last-Modified: Tue, 19 Mar 2024 17:42:29 GMT
2024-05-24 12:46:39 UTC	16124	IN	Data Raw: 2f 2a 21 0a 20 2a 20 6a 51 75 65 72 79 20 4a 61 76 61 53 63 72 69 70 74 20 4c 69 62 72 61 72 79 20 76 33 2e 34 2e 31 0a 20 2a 20 68 74 74 70 73 3a 2f 2f 6a 71 75 65 72 79 2e 63 6f 6d 2f 0a 20 2a 0a 20 2a 20 49 6e 63 6c 75 64 65 73 20 53 69 7a 7a 6c 65 2e 6a 73 0a 20 2a 20 68 74 74 70 73 3a 2f 2f 73 69 7a 7a 6c 65 6a 73 2e 63 6f 6d 2f 0a 20 2a 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 4a 53 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 0a 20 2a 20 52 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 74 68 65 20 4d 49 54 20 6c 69 63 65 6e 73 65 0a 20 2a 20 68 74 74 70 73 3a 2f 2f 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 0a 20 2a 0a 20 2a 20 44 61 74 65 3a 20 32 30 31 39 2d 30 35 2d 30 31 54 32 31 Data Ascii: /! jQuery JavaScript Library v3.4.1 * https://jquery.com/ * * Includes Sizzle.js * https://sizzlejs.com/ * * Copyright JS Foundation and other contributors * Released under the MIT license * https://jquery.org/license * * Date: 2019-05-01T21
2024-05-24 12:46:39 UTC	16379	IN	Data Raw: 20 3d 20 2f 48 54 4d 4c 24 2f 69 2c 0a 09 72 69 6e 70 75 74 73 20 3d 20 2f 5e 28 3f 3a 69 6e 70 75 74 7c 73 65 6c 65 63 74 7c 74 65 78 74 61 72 65 61 7c 62 75 74 74 6f 6e 29 24 2f 69 2c 0a 09 72 68 65 61 64 65 72 20 3d 20 2f 5e 68 5c 64 24 2f 69 2c 0a 0a 09 72 6e 61 74 69 76 65 20 3d 20 2f 5e 5b 5e 7b 5d 2b 5c 7b 5c 73 2a 5c 5b 6e 61 74 69 76 65 20 5c 77 2f 2c 0a 0a 09 2f 2f 20 45 61 73 69 6c 79 2d 70 61 72 73 65 61 62 6c 65 2f 72 65 74 72 69 65 76 61 62 6c 65 20 49 44 20 6f 72 20 54 41 47 20 6f 72 20 43 4c 41 53 53 20 73 65 6c 65 63 74 6f 72 73 0a 09 72 71 75 69 63 6b 45 78 70 72 20 3d 20 2f 5e 28 3f 3a 23 28 5b 5c 77 2d 5d 2b 29 7c 28 5c 77 2b 29 7c 5c 2e 28 5b 5c 77 2d 5d 2b 29 29 24 2f 2c 0a 0a 09 72 73 69 62 6c 69 6e 67 20 3d 20 2f 5b 2b 7e 5d 2f 2c Data Ascii: = /HTML$/i,rinputs = /^(?:input\|select\|textarea\|button)$/i,rheader = /^h\d$/i,rnative = /^[^{]+\{\s*\[native \w/,// Easily-parseable/retrievable ID or TAG or CLASS selectorsrquickExpr = /^(?:#([\w-]+)\|(\w+)\|\.([\w-]+))$/,rsibling = /[+~]/,
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 64 22 20 29 20 7b 0a 09 09 09 09 72 65 74 75 72 6e 20 63 6f 6e 74 65 78 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 20 74 61 67 20 29 3b 0a 0a 09 09 09 2f 2f 20 44 6f 63 75 6d 65 6e 74 46 72 61 67 6d 65 6e 74 20 6e 6f 64 65 73 20 64 6f 6e 27 74 20 68 61 76 65 20 67 45 42 54 4e 0a 09 09 09 7d 20 65 6c 73 65 20 69 66 20 28 20 73 75 70 70 6f 72 74 2e 71 73 61 20 29 20 7b 0a 09 09 09 09 72 65 74 75 72 6e 20 63 6f 6e 74 65 78 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 20 74 61 67 20 29 3b 0a 09 09 09 7d 0a 09 09 7d 20 3a 0a 0a 09 09 66 75 6e 63 74 69 6f 6e 28 20 74 61 67 2c 20 63 6f 6e 74 65 78 74 20 29 20 7b 0a 09 09 09 76 61 72 20 65 6c 65 6d 2c 0a 09 09 09 09 74 6d 70 20 3d 20 5b 5d 2c 0a 09 09 09 09 69 20 3d 20 30 2c Data Ascii: d" ) {return context.getElementsByTagName( tag );// DocumentFragment nodes don't have gEBTN} else if ( support.qsa ) {return context.querySelectorAll( tag );}} :function( tag, context ) {var elem,tmp = [],i = 0,
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 64 65 49 6e 64 65 78 2c 20 73 74 61 72 74 2c 0a 09 09 09 09 09 09 64 69 72 20 3d 20 73 69 6d 70 6c 65 20 21 3d 3d 20 66 6f 72 77 61 72 64 20 3f 20 22 6e 65 78 74 53 69 62 6c 69 6e 67 22 20 3a 20 22 70 72 65 76 69 6f 75 73 53 69 62 6c 69 6e 67 22 2c 0a 09 09 09 09 09 09 70 61 72 65 6e 74 20 3d 20 65 6c 65 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 0a 09 09 09 09 09 09 6e 61 6d 65 20 3d 20 6f 66 54 79 70 65 20 26 26 20 65 6c 65 6d 2e 6e 6f 64 65 4e 61 6d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2c 0a 09 09 09 09 09 09 75 73 65 43 61 63 68 65 20 3d 20 21 78 6d 6c 20 26 26 20 21 6f 66 54 79 70 65 2c 0a 09 09 09 09 09 09 64 69 66 66 20 3d 20 66 61 6c 73 65 3b 0a 0a 09 09 09 09 09 69 66 20 28 20 70 61 72 65 6e 74 20 29 20 7b 0a 0a 09 09 09 09 09 09 2f 2f 20 3a Data Ascii: deIndex, start,dir = simple !== forward ? "nextSibling" : "previousSibling",parent = elem.parentNode,name = ofType && elem.nodeName.toLowerCase(),useCache = !xml && !ofType,diff = false;if ( parent ) {// :
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 6d 65 64 69 61 74 65 20 70 72 6f 63 65 73 73 69 6e 67 20 69 73 20 6e 65 63 65 73 73 61 72 79 0a 09 09 09 09 09 5b 5d 20 3a 0a 0a 09 09 09 09 09 2f 2f 20 2e 2e 2e 6f 74 68 65 72 77 69 73 65 20 75 73 65 20 72 65 73 75 6c 74 73 20 64 69 72 65 63 74 6c 79 0a 09 09 09 09 09 72 65 73 75 6c 74 73 20 3a 0a 09 09 09 09 6d 61 74 63 68 65 72 49 6e 3b 0a 0a 09 09 2f 2f 20 46 69 6e 64 20 70 72 69 6d 61 72 79 20 6d 61 74 63 68 65 73 0a 09 09 69 66 20 28 20 6d 61 74 63 68 65 72 20 29 20 7b 0a 09 09 09 6d 61 74 63 68 65 72 28 20 6d 61 74 63 68 65 72 49 6e 2c 20 6d 61 74 63 68 65 72 4f 75 74 2c 20 63 6f 6e 74 65 78 74 2c 20 78 6d 6c 20 29 3b 0a 09 09 7d 0a 0a 09 09 2f 2f 20 41 70 70 6c 79 20 70 6f 73 74 46 69 6c 74 65 72 0a 09 09 69 66 20 28 20 70 6f 73 74 46 69 6c 74 65 Data Ascii: mediate processing is necessary[] :// ...otherwise use results directlyresults :matcherIn;// Find primary matchesif ( matcher ) {matcher( matcherIn, matcherOut, context, xml );}// Apply postFilterif ( postFilte
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 61 74 20 73 74 72 69 6e 67 73 20 74 68 61 74 20 73 74 61 72 74 20 61 6e 64 20 65 6e 64 20 77 69 74 68 20 3c 3e 20 61 72 65 20 48 54 4d 4c 20 61 6e 64 20 73 6b 69 70 20 74 68 65 20 72 65 67 65 78 20 63 68 65 63 6b 0a 09 09 09 09 6d 61 74 63 68 20 3d 20 5b 20 6e 75 6c 6c 2c 20 73 65 6c 65 63 74 6f 72 2c 20 6e 75 6c 6c 20 5d 3b 0a 0a 09 09 09 7d 20 65 6c 73 65 20 7b 0a 09 09 09 09 6d 61 74 63 68 20 3d 20 72 71 75 69 63 6b 45 78 70 72 2e 65 78 65 63 28 20 73 65 6c 65 63 74 6f 72 20 29 3b 0a 09 09 09 7d 0a 0a 09 09 09 2f 2f 20 4d 61 74 63 68 20 68 74 6d 6c 20 6f 72 20 6d 61 6b 65 20 73 75 72 65 20 6e 6f 20 63 6f 6e 74 65 78 74 20 69 73 20 73 70 65 63 69 66 69 65 64 20 66 6f 72 20 23 69 64 0a 09 09 09 69 66 20 28 20 6d 61 74 63 68 20 26 26 20 28 20 6d 61 74 63 Data Ascii: at strings that start and end with <> are HTML and skip the regex checkmatch = [ null, selector, null ];} else {match = rquickExpr.exec( selector );}// Match html or make sure no context is specified for #idif ( match && ( matc
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 09 72 65 73 6f 6c 76 65 28 20 6d 61 78 44 65 70 74 68 2c 20 64 65 66 65 72 72 65 64 2c 20 49 64 65 6e 74 69 74 79 2c 20 73 70 65 63 69 61 6c 20 29 2c 0a 09 09 09 09 09 09 09 09 09 09 09 09 72 65 73 6f 6c 76 65 28 20 6d 61 78 44 65 70 74 68 2c 20 64 65 66 65 72 72 65 64 2c 20 54 68 72 6f 77 65 72 2c 20 73 70 65 63 69 61 6c 20 29 0a 09 09 09 09 09 09 09 09 09 09 09 29 3b 0a 0a 09 09 09 09 09 09 09 09 09 09 2f 2f 20 4e 6f 72 6d 61 6c 20 70 72 6f 63 65 73 73 6f 72 73 20 28 72 65 73 6f 6c 76 65 29 20 61 6c 73 6f 20 68 6f 6f 6b 20 69 6e 74 6f 20 70 72 6f 67 72 65 73 73 0a 09 09 09 09 09 09 09 09 09 09 7d 20 65 6c 73 65 20 7b 0a 0a 09 09 09 09 09 09 09 09 09 09 09 2f 2f 20 2e 2e 2e 61 6e 64 20 64 69 73 72 65 67 61 72 64 20 6f 6c 64 65 72 20 72 65 73 6f 6c 75 74 Data Ascii: resolve( maxDepth, deferred, Identity, special ),resolve( maxDepth, deferred, Thrower, special ));// Normal processors (resolve) also hook into progress} else {// ...and disregard older resolut
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 28 20 65 6c 65 6d 2c 20 6e 61 6d 65 20 29 20 7b 0a 09 09 64 61 74 61 55 73 65 72 2e 72 65 6d 6f 76 65 28 20 65 6c 65 6d 2c 20 6e 61 6d 65 20 29 3b 0a 09 7d 2c 0a 0a 09 2f 2f 20 54 4f 44 4f 3a 20 4e 6f 77 20 74 68 61 74 20 61 6c 6c 20 63 61 6c 6c 73 20 74 6f 20 5f 64 61 74 61 20 61 6e 64 20 5f 72 65 6d 6f 76 65 44 61 74 61 20 68 61 76 65 20 62 65 65 6e 20 72 65 70 6c 61 63 65 64 0a 09 2f 2f 20 77 69 74 68 20 64 69 72 65 63 74 20 63 61 6c 6c 73 20 74 6f 20 64 61 74 61 50 72 69 76 20 6d 65 74 68 6f 64 73 2c 20 74 68 65 73 65 20 63 61 6e 20 62 65 20 64 65 70 72 65 63 61 74 65 64 2e 0a 09 5f 64 61 74 61 3a 20 66 75 6e 63 74 69 6f 6e 28 20 65 6c 65 6d 2c 20 6e 61 6d 65 2c 20 64 61 74 61 20 29 20 7b 0a 09 09 72 65 74 75 72 6e 20 64 61 74 61 50 72 69 76 2e 61 63 Data Ascii: ( elem, name ) {dataUser.remove( elem, name );},// TODO: Now that all calls to _data and _removeData have been replaced// with direct calls to dataPriv methods, these can be deprecated._data: function( elem, name, data ) {return dataPriv.ac
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 68 65 20 65 6c 65 6d 65 6e 74 20 69 73 20 61 6c 72 65 61 64 79 20 61 63 74 69 76 65 2c 0a 2f 2f 20 61 6e 64 20 62 6c 75 72 20 74 6f 20 62 65 20 73 79 6e 63 68 72 6f 6e 6f 75 73 20 77 68 65 6e 20 74 68 65 20 65 6c 65 6d 65 6e 74 20 69 73 20 6e 6f 74 20 61 6c 72 65 61 64 79 20 61 63 74 69 76 65 2e 0a 2f 2f 20 28 66 6f 63 75 73 20 61 6e 64 20 62 6c 75 72 20 61 72 65 20 61 6c 77 61 79 73 20 73 79 6e 63 68 72 6f 6e 6f 75 73 20 69 6e 20 6f 74 68 65 72 20 73 75 70 70 6f 72 74 65 64 20 62 72 6f 77 73 65 72 73 2c 0a 2f 2f 20 74 68 69 73 20 6a 75 73 74 20 64 65 66 69 6e 65 73 20 77 68 65 6e 20 77 65 20 63 61 6e 20 63 6f 75 6e 74 20 6f 6e 20 69 74 29 2e 0a 66 75 6e 63 74 69 6f 6e 20 65 78 70 65 63 74 53 79 6e 63 28 20 65 6c 65 6d 2c 20 74 79 70 65 20 29 20 7b 0a 09 Data Ascii: he element is already active,// and blur to be synchronous when the element is not already active.// (focus and blur are always synchronous in other supported browsers,// this just defines when we can count on it).function expectSync( elem, type ) {
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 2f 2f 20 6e 61 74 69 76 65 20 65 76 65 6e 74 20 61 6e 64 20 70 72 65 76 65 6e 74 20 74 68 61 74 20 66 72 6f 6d 20 68 61 70 70 65 6e 69 6e 67 20 61 67 61 69 6e 20 68 65 72 65 2e 0a 09 09 09 09 2f 2f 20 54 68 69 73 20 74 65 63 68 6e 69 63 61 6c 6c 79 20 67 65 74 73 20 74 68 65 20 6f 72 64 65 72 69 6e 67 20 77 72 6f 6e 67 20 77 2e 72 2e 74 2e 20 74 6f 20 60 2e 74 72 69 67 67 65 72 28 29 60 20 28 69 6e 20 77 68 69 63 68 20 74 68 65 0a 09 09 09 09 2f 2f 20 62 75 62 62 6c 69 6e 67 20 73 75 72 72 6f 67 61 74 65 20 70 72 6f 70 61 67 61 74 65 73 20 2a 61 66 74 65 72 2a 20 74 68 65 20 6e 6f 6e 2d 62 75 62 62 6c 69 6e 67 20 62 61 73 65 29 2c 20 62 75 74 20 74 68 61 74 20 73 65 65 6d 73 0a 09 09 09 09 2f 2f 20 6c 65 73 73 20 62 61 64 20 74 68 61 6e 20 64 75 70 6c 69 Data Ascii: // native event and prevent that from happening again here.// This technically gets the ordering wrong w.r.t. to `.trigger()` (in which the// bubbling surrogate propagates after the non-bubbling base), but that seems// less bad than dupli

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	50.17.48.180	443	2716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:38 UTC	692	OUT	GET /EWT/v1/Scripts/error_translations.js HTTP/1.1 Host: us-phishalarm-ewt.proofpoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-24 12:46:39 UTC	259	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 12:46:39 GMT Content-Type: application/javascript; charset=utf-8 Content-Length: 84638 Connection: close Server: nginx Accept-Ranges: bytes ETag: "1da7a24d01efa1e" Last-Modified: Tue, 19 Mar 2024 17:42:29 GMT
2024-05-24 12:46:39 UTC	16125	IN	Data Raw: ef bb bf 63 6f 6e 73 74 20 45 72 72 6f 72 43 6f 64 65 73 20 3d 20 7b 0a 20 20 20 20 30 3a 20 22 44 45 46 41 55 4c 54 22 2c 0a 20 20 20 20 31 3a 20 22 4e 4f 5f 43 52 45 44 45 4e 54 49 41 4c 53 22 2c 0a 20 20 20 20 32 3a 20 22 4e 4f 5f 48 45 41 44 45 52 53 22 2c 0a 20 20 20 20 33 3a 20 22 49 4e 56 41 4c 49 44 5f 43 52 45 44 45 4e 54 49 41 4c 53 22 2c 0a 20 20 20 20 34 3a 20 22 49 4e 56 41 4c 49 44 5f 52 45 47 49 53 54 52 41 54 49 4f 4e 22 2c 0a 20 20 20 20 35 3a 20 22 4e 4f 5f 45 4d 41 49 4c 22 2c 0a 20 20 20 20 2f 2f 20 36 2d 37 20 61 72 65 20 66 6f 72 20 66 75 74 75 72 65 20 65 78 70 61 6e 73 69 6f 6e 0a 20 20 20 20 38 3a 20 22 43 41 43 48 45 44 5f 45 4d 41 49 4c 5f 47 4f 4e 45 22 2c 0a 20 20 20 20 39 3a 20 22 44 4c 5f 45 52 52 4f 52 22 2c 0a 20 20 20 20 Data Ascii: const ErrorCodes = { 0: "DEFAULT", 1: "NO_CREDENTIALS", 2: "NO_HEADERS", 3: "INVALID_CREDENTIALS", 4: "INVALID_REGISTRATION", 5: "NO_EMAIL", // 6-7 are for future expansion 8: "CACHED_EMAIL_GONE", 9: "DL_ERROR",
2024-05-24 12:46:39 UTC	16379	IN	Data Raw: 6b 61 c3 b0 75 20 c3 be 65 73 73 75 6d 20 76 61 66 72 61 67 6c 75 67 67 61 2e 22 2c 0a 20 20 20 20 20 20 20 20 22 49 54 2d 49 54 22 3a 20 22 43 68 69 75 64 69 20 6c 61 20 66 69 6e 65 73 74 72 61 20 64 65 6c 20 62 72 6f 77 73 65 72 2e 22 2c 0a 20 20 20 20 20 20 20 20 22 4a 41 2d 4a 50 22 3a 20 22 e3 81 93 e3 81 ae e3 83 96 e3 83 a9 e3 82 a6 e3 82 b6 e3 81 ae e3 82 a6 e3 82 a3 e3 83 b3 e3 83 89 e3 82 a6 e3 82 92 e9 96 89 e3 81 98 e3 81 a6 e3 81 8f e3 81 a0 e3 81 95 e3 81 84 e3 80 82 22 2c 0a 20 20 20 20 20 20 20 20 22 4b 4d 2d 4b 48 22 3a 20 22 e1 9e 9f e1 9e bc e1 9e 98 e1 9e 94 e1 9e b7 e1 9e 91 e2 80 8b e1 9e 95 e1 9f 92 e1 9e 91 e1 9e b6 e1 9f 86 e1 9e 84 e1 9e 9c e1 9e b7 e1 9e 93 e1 9e 8a e1 9e bc e1 9e 80 e1 9e 98 e1 9f 92 e1 9e 98 e1 9e 9c e1 9e b7 Data Ascii: kau essum vafraglugga.", "IT-IT": "Chiudi la finestra del browser.", "JA-JP": "", "KM-KH": "
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: e1 80 ab e1 80 85 e1 80 b1 e1 81 8b 22 2c 0a 20 20 20 20 20 20 20 20 22 4e 4c 2d 4e 4c 22 3a 20 22 44 65 20 61 61 6e 6d 65 6c 64 67 65 67 65 76 65 6e 73 20 76 6f 6f 72 20 45 78 63 68 61 6e 67 65 2f 4f 33 36 35 20 6b 6f 6e 64 65 6e 20 6e 69 65 74 20 6f 70 67 65 68 61 61 6c 64 20 77 6f 72 64 65 6e 2e 20 5a 6f 72 67 20 65 72 76 6f 6f 72 20 64 61 74 20 75 77 20 62 65 68 65 65 72 64 65 72 20 75 77 20 61 61 6e 6d 65 6c 64 67 65 67 65 76 65 6e 73 20 69 6e 20 68 65 74 20 74 72 61 69 6e 69 6e 67 73 70 6c 61 74 66 6f 72 6d 20 76 6f 6f 72 20 76 65 69 6c 69 67 68 65 69 64 73 62 65 77 75 73 74 7a 69 6a 6e 20 69 6e 67 65 73 74 65 6c 64 20 68 65 65 66 74 2e 22 2c 0a 20 20 20 20 20 20 20 20 22 4e 4f 2d 4e 4f 22 3a 20 22 45 78 63 68 61 6e 67 65 20 2f 20 4f 33 36 35 20 70 Data Ascii: ", "NL-NL": "De aanmeldgegevens voor Exchange/O365 konden niet opgehaald worden. Zorg ervoor dat uw beheerder uw aanmeldgegevens in het trainingsplatform voor veiligheidsbewustzijn ingesteld heeft.", "NO-NO": "Exchange / O365 p
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 22 49 53 2d 49 53 22 3a 20 22 46 c3 a1 69 c3 b0 20 73 74 61 c3 b0 66 65 73 74 69 6e 67 75 20 68 6a c3 a1 20 6b 65 72 66 69 73 73 74 6a c3 b3 72 61 20 75 6d 20 61 c3 b0 20 6e 65 74 66 61 6e 67 69 c3 b0 20 73 c3 a9 20 73 6b 72 c3 a1 c3 b0 20 c3 a1 20 c3 9e 6a c3 a1 6c 66 75 6e 61 72 76 65 72 6b 76 61 6e 67 69 6e 75 6d 20 66 79 72 69 72 20 c3 b6 72 79 67 67 69 73 76 69 74 75 6e 64 2e 22 2c 0a 20 20 20 20 20 20 20 20 22 49 54 2d 49 54 22 3a 20 22 56 65 72 69 66 69 63 61 72 65 20 63 6f 6e 20 6c e2 80 99 61 6d 6d 69 6e 69 73 74 72 61 74 6f 72 65 20 63 68 65 20 6c e2 80 99 69 6e 64 69 72 69 7a 7a 6f 20 65 2d 6d 61 69 6c 20 73 69 61 20 72 65 67 69 73 74 72 61 74 6f 20 6e 65 6c 6c 61 20 70 69 61 74 74 61 66 6f 72 6d 61 20 64 65 6c 20 63 6f 72 73 Data Ascii: "IS-IS": "Fi stafestingu hj kerfisstjra um a netfangi s skr jlfunarverkvanginum fyrir ryggisvitund.", "IT-IT": "Verificare con lamministratore che lindirizzo e-mail sia registrato nella piattaforma del cors
2024-05-24 12:46:39 UTC	16384	IN	Data Raw: 63 69 61 20 61 6f 20 63 6c 69 65 6e 74 65 2e 22 2c 0a 20 20 20 20 20 20 20 20 22 52 4f 2d 52 4f 22 3a 20 22 52 61 70 6f 72 74 75 6c 20 64 76 73 2e 20 61 20 65 78 70 69 72 61 74 2e 20 56 c4 83 20 72 75 67 c4 83 6d 20 73 c4 83 20 c3 ae 6e 63 65 72 63 61 c8 9b 69 20 64 69 6e 20 6e 6f 75 2e 20 44 61 63 c4 83 20 61 63 65 61 73 74 c4 83 20 65 72 6f 61 72 65 20 73 65 20 72 65 70 65 74 c4 83 2c 20 76 c4 83 20 72 75 67 c4 83 6d 20 73 c4 83 20 63 6f 6e 74 61 63 74 61 c8 9b 69 20 73 65 72 76 69 63 69 75 6c 20 64 65 20 61 73 69 73 74 65 6e c8 9b c4 83 2e 22 2c 0a 20 20 20 20 20 20 20 20 22 52 55 2d 52 55 22 3a 20 22 d0 92 d1 80 d0 b5 d0 bc d1 8f 20 d0 b2 d0 b0 d1 88 d0 b5 d0 b3 d0 be 20 d0 be d1 82 d1 87 d0 b5 d1 82 d0 b0 20 d0 b8 d1 81 d1 82 d0 b5 d0 ba d0 bb d0 be Data Ascii: cia ao cliente.", "RO-RO": "Raportul dvs. a expirat. V rugm s ncercai din nou. Dac aceast eroare se repet, v rugm s contactai serviciul de asisten.", "RU-RU": "
2024-05-24 12:46:39 UTC	2982	IN	Data Raw: 72 20 73 75 62 6d 69 74 20 61 20 63 6f 70 79 20 74 6f 20 49 54 20 64 69 72 65 63 74 6c 79 2e 22 2c 0a 20 20 20 20 20 20 20 20 22 4d 59 2d 4d 4d 22 3a 20 22 54 68 65 20 65 6d 61 69 6c 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 72 65 70 6f 72 74 65 64 20 76 69 61 20 45 6d 61 69 6c 20 57 61 72 6e 69 6e 67 20 54 61 67 73 2e 20 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 75 73 69 6e 67 20 74 68 65 20 62 75 74 74 6f 6e 20 69 6e 20 79 6f 75 72 20 6d 61 69 6c 20 63 6c 69 65 6e 74 20 6f 72 20 73 75 62 6d 69 74 20 61 20 63 6f 70 79 20 74 6f 20 49 54 20 64 69 72 65 63 74 6c 79 2e 22 2c 0a 20 20 20 20 20 20 20 20 22 4e 4c 2d 4e 4c 22 3a 20 22 54 68 65 20 65 6d 61 69 6c 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 72 65 70 6f 72 74 65 Data Ascii: r submit a copy to IT directly.", "MY-MM": "The email could not be reported via Email Warning Tags. Please report this message using the button in your mail client or submit a copy to IT directly.", "NL-NL": "The email could not be reporte

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	50.17.48.180	443	2716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:38 UTC	671	OUT	GET /EWT/v1/jslog.js HTTP/1.1 Host: us-phishalarm-ewt.proofpoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-24 12:46:39 UTC	221	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 12:46:38 GMT Content-Type: text/javascript; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: nginx X-PFPT-ApiTraceId: dac4aa3c-4e02-468a-95b9-a367accdbf9f
2024-05-24 12:46:39 UTC	4741	IN	Data Raw: 31 32 37 64 0d 0a 21 28 66 75 6e 63 74 69 6f 6e 20 73 63 72 69 70 74 49 6e 69 74 20 28 77 69 6e 64 6f 77 29 20 7b 0d 0a 20 20 20 20 76 61 72 20 63 75 73 74 6f 6d 50 72 6f 70 73 20 3d 20 7b 7d 2c 20 5f 75 72 6c 20 3d 20 27 2f 6a 73 27 2c 20 5f 68 65 61 64 65 72 73 20 3d 20 7b 7d 3b 0d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 28 6d 65 73 73 61 67 65 2c 20 65 78 2c 20 73 65 76 65 72 69 74 79 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 73 67 20 3d 20 74 79 70 65 6f 66 20 6d 65 73 73 61 67 65 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 20 3f 20 6d 65 73 73 61 67 65 20 3a 20 74 79 70 65 6f 66 20 65 78 20 3d 3d 3d 20 27 6d 65 73 73 61 67 65 27 20 3f 20 65 78 20 3a 20 27 27 3b 0d 0a Data Ascii: 127d!(function scriptInit (window) { var customProps = {}, _url = '/js', _headers = {}; function report(message, ex, severity) { try { var msg = typeof message === 'string' ? message : typeof ex === 'message' ? ex : '';
2024-05-24 12:46:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	50.17.48.180	443	2716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:38 UTC	743	OUT	GET /EWT/v1/images/pfpt-logo.png HTTP/1.1 Host: us-phishalarm-ewt.proofpoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-24 12:46:39 UTC	230	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 12:46:39 GMT Content-Type: image/png Content-Length: 5851 Connection: close Server: nginx Accept-Ranges: bytes ETag: "1da7a24d01fa65b" Last-Modified: Tue, 19 Mar 2024 17:42:29 GMT
2024-05-24 12:46:39 UTC	5851	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 7d 00 00 00 22 08 06 00 00 00 72 58 d6 07 00 00 00 c5 7a 54 58 74 52 61 77 20 70 72 6f 66 69 6c 65 20 74 79 70 65 20 65 78 69 66 00 00 78 da 6d 50 5b 0e c3 20 0c fb cf 29 76 04 f2 28 84 e3 d0 b5 93 76 83 1d 7f a6 a4 53 d9 66 29 c1 c4 91 09 a1 fd f5 7c d0 ad 43 d8 c8 96 e2 b9 e6 9c 00 ab 56 a5 81 78 1a 68 47 e6 64 47 3e 50 b6 d0 78 ae 93 48 08 82 92 e2 d4 71 f5 1c fd 67 9d 3f 06 e3 68 60 cb c5 c8 ef 21 ac b3 50 2d fc fd cb 28 1e d6 3e 51 e7 31 21 d5 30 52 19 02 87 41 1b df 4a b9 7a b9 7e 61 dd d3 0c 1f 41 3d 99 cf 63 ff dc 0b b6 b7 2d 78 47 45 76 65 4d c8 aa 36 06 d0 1e 4a da 40 0a 32 2b d6 01 5e c1 0d 6d 0d e1 61 86 85 fc db d3 09 7a 03 32 70 59 4e 97 ed e2 26 00 00 01 85 69 43 43 50 49 43 43 20 70 Data Ascii: PNGIHDR}"rXzTXtRaw profile type exifxmP[ )v(vSf)\|CVxhGdG>PxHqg?h`!P-(>Q1!0RAJz~aA=c-xGEveM6J@2+^maz2pYN&iCCPICC p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	50.17.48.180	443	2716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:40 UTC	727	OUT	GET /favicon.ico HTTP/1.1 Host: us-phishalarm-ewt.proofpoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-24 12:46:40 UTC	173	IN	HTTP/1.1 404 Not Found Date: Fri, 24 May 2024 12:46:40 GMT Content-Length: 0 Connection: close Server: nginx X-PFPT-ApiTraceId: 9f6732da-e098-493e-b58b-772af077067a

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	52.1.130.164	443	2716	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:40 UTC	383	OUT	GET /EWT/v1/images/pfpt-logo.png HTTP/1.1 Host: us-phishalarm-ewt.proofpoint.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-24 12:46:40 UTC	230	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 12:46:40 GMT Content-Type: image/png Content-Length: 5851 Connection: close Server: nginx Accept-Ranges: bytes ETag: "1da7a24d01fa65b" Last-Modified: Tue, 19 Mar 2024 17:42:29 GMT
2024-05-24 12:46:40 UTC	5851	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 7d 00 00 00 22 08 06 00 00 00 72 58 d6 07 00 00 00 c5 7a 54 58 74 52 61 77 20 70 72 6f 66 69 6c 65 20 74 79 70 65 20 65 78 69 66 00 00 78 da 6d 50 5b 0e c3 20 0c fb cf 29 76 04 f2 28 84 e3 d0 b5 93 76 83 1d 7f a6 a4 53 d9 66 29 c1 c4 91 09 a1 fd f5 7c d0 ad 43 d8 c8 96 e2 b9 e6 9c 00 ab 56 a5 81 78 1a 68 47 e6 64 47 3e 50 b6 d0 78 ae 93 48 08 82 92 e2 d4 71 f5 1c fd 67 9d 3f 06 e3 68 60 cb c5 c8 ef 21 ac b3 50 2d fc fd cb 28 1e d6 3e 51 e7 31 21 d5 30 52 19 02 87 41 1b df 4a b9 7a b9 7e 61 dd d3 0c 1f 41 3d 99 cf 63 ff dc 0b b6 b7 2d 78 47 45 76 65 4d c8 aa 36 06 d0 1e 4a da 40 0a 32 2b d6 01 5e c1 0d 6d 0d e1 61 86 85 fc db d3 09 7a 03 32 70 59 4e 97 ed e2 26 00 00 01 85 69 43 43 50 49 43 43 20 70 Data Ascii: PNGIHDR}"rXzTXtRaw profile type exifxmP[ )v(vSf)\|CVxhGdG>PxHqg?h`!P-(>Q1!0RAJz~aA=c-xGEveM6J@2+^maz2pYN&iCCPICC p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	2.19.244.127	443

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:41 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-24 12:46:41 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=184933 Date: Fri, 24 May 2024 12:46:41 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49748	2.19.244.127	443

Timestamp	Bytes transferred	Direction	Data
2024-05-24 12:46:42 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-24 12:46:42 UTC	535	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0WwMRYwAAAABe7whxSEuqSJRuLqzPsqCaTE9OMjFFREdFMTcxNQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=184978 Date: Fri, 24 May 2024 12:46:42 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-24 12:46:42 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 4144, Parent PID: 1076

General

Target ID:	0
Start time:	08:46:31
Start date:	24/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 2716, Parent PID: 4144

General

Target ID:	2
Start time:	08:46:34
Start date:	24/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,8042035595341962039,8795045047212554398,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6440, Parent PID: 1076

General

Target ID:	3
Start time:	08:46:36
Start date:	24/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 46

Chrome Cache Entry: 47

Chrome Cache Entry: 48

Chrome Cache Entry: 49

Chrome Cache Entry: 50

Chrome Cache Entry: 51

Chrome Cache Entry: 52

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 4144, Parent PID: 1076

General

Chronological Activities

Analysis Process: chrome.exePID: 2716, Parent PID: 4144

General

Chronological Activities

Analysis Process: chrome.exePID: 6440, Parent PID: 1076

Windows Analysis Report
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA!IXui9LmLmXTYW0ChV3m6g9GXkRGpJg8qmgV35mVjVu2AD89bY2MHfUevS98yZ4i8sUHWveCAqzlrDbIgBYwe6uuq$