Edit tour

Windows Analysis Report
https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==

Overview

General Information

Sample URL:	https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==
Analysis ID:	1467864
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6896 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ== MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6360 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1876,i,5848461165673472631,14503253527738666784,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49718 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+Fhaa8S9znhtBdD&MD=1KgRtc2y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+Fhaa8S9znhtBdD&MD=1KgRtc2y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: www3.hownd.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49718 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@16/6@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1876,i,5848461165673472631,14503253527738666784,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1876,i,5848461165673472631,14503253527738666784,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mainlb.mycorpprovider.com	15.204.31.59	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
www3.hownd.com	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
15.204.31.59	mainlb.mycorpprovider.com	United States	71	HP-INTERNET-ASUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467864
Start date and time:	2024-07-04 23:49:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@16/6@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.18.99, 142.250.186.78, 64.233.166.84, 34.104.35.123, 216.58.212.131, 172.217.16.131
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, clientservices.googleapis.com, clients.l.google.com, www.gstatic.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jul 4 20:50:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9921542456398793
Encrypted:	false
SSDEEP:	48:80dTTbHSHSidAKZdA1FehwiZUklqehDy+3:84/TIy
MD5:	50AE64FEA5A97DE6D7A956AFFA791FE5
SHA1:	426E84B90C3B43571D43CEC7A6BDDC4AC326424B
SHA-256:	F0F11546BA7CB827230C28F5F099464A59BEF45430A24725F21BC395CDFF71C7
SHA-512:	ED0C6F3BEF2AD5BBE6556E702275B1C17FFEF53ACEB19D011CA8145AE3C420CC2E6479BC2058F1873D95AA28174BC3D10E4BD9C231057233FE18DDD3F18AF09F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......!\...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XC............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jul 4 20:50:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.007788408093365
Encrypted:	false
SSDEEP:	48:8xdTTbHSHSidAKZdA1seh/iZUkAQkqeh4y+2:8H/99Qhy
MD5:	891ECB1BE8D442D0FCF4E2A242D37FE2
SHA1:	F025A68474FCFE2C4386DCB560B8EA54C0E2D986
SHA-256:	A6916CFAFB7B25DE681CE4AA1DF92BB8848C3E4D6F1721AC7F65DBE0F4B3179F
SHA-512:	0A23D73C353AC15961E7B1A6DF2C63FA1251860425C9F6B913370EE277F3AB0C54EC25A36AD6BA28B56F615814397427FA274B380921B35FD23E98D1DD457ABA
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....._.!\...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XC............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.017123541995265
Encrypted:	false
SSDEEP:	48:86dTTbHAHSidAKZdA14meh7sFiZUkmgqeh7sey+BX:8e/LnMy
MD5:	6DA51EF533F00A2A252841D5648C2450
SHA1:	D13DDBF3FED96844780F239C52059524C2A3F70E
SHA-256:	806F73941AD747AAB0200375CB10B8465DC8DF4C7251DDB15F3F638BF01DC90A
SHA-512:	20964DEFC24016D0B106750C135C3B85AC04475C2A4584C166B80E8B188A7B090EDD154165097771F78F92CB8FFC5460115CD87EC6C58B1F70F2A034D7C7B848
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jul 4 20:50:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.006359940289466
Encrypted:	false
SSDEEP:	48:8odTTbHSHSidAKZdA1TehDiZUkwqehEy+R:8s/OWy
MD5:	E1E4588559EA02B7CAE255FD84C31AAD
SHA1:	15A92EC8370079129E369F5FCB7A8A75B6D4CCED
SHA-256:	D1936F1FC6B4F7460972AB115F630EA45693AC15C1D668E73F97992DEEBE588F
SHA-512:	9D18EF0D341FF18D55E01537E1728C4EDF352ACD13E0115DB7D35FEADABB168426CBCE7583577BC07916ACCF135A908379CED74B3E47DD54089756C6F95CB073
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....V.!\...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XC............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jul 4 20:50:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.99458123416934
Encrypted:	false
SSDEEP:	48:8IdTTbHSHSidAKZdA1dehBiZUk1W1qehSy+C:8M/e9yy
MD5:	FE91E881703E01833D4E83A37F9C97D0
SHA1:	11ECE1686F7A7F72841A77FA1C5ADF7D8622B7BD
SHA-256:	06BECE3F2EA2CC54440BA4F541D96001DBB6D15F85EB33A9BEB559F15EC61927
SHA-512:	61AAD85542B89A25F7E26C037A90A5BFBFDEA68CE3D2565529AA1A6666101D62C7AEAB3FC847BCA05F4DFD80255BF82CF2B21CC062784410E36FD08DBD4F51F0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......!\...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XC............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jul 4 20:50:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.006959614178174
Encrypted:	false
SSDEEP:	48:8xdTTbHSHSidAKZdA1duTeehOuTbbiZUk5OjqehOuTbMy+yT+:8H/UTfTbxWOvTbMy7T
MD5:	89EEEB8C4B5E4E164DA437BE993808F8
SHA1:	D9B192B193442624EDD0FFBD64ECC5DA6FE510B3
SHA-256:	2C66EC8BDEBD481D8CB7CA71554B96F2819DBE5F881172B5EF609BE884256B30
SHA-512:	296B62F2028D7C720E23EA7E210EAD5617B0975E26B5670D0AED73FE1945AE85104DB642782DB0A4369BFF9B8441DC14FC4A3A3C2F741480472A7D42DDEAD996
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......!\...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XC............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 23:50:05.055035114 CEST	49704	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:05.055066109 CEST	443	49704	15.204.31.59	192.168.2.16
Jul 4, 2024 23:50:05.055126905 CEST	49704	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:05.055685043 CEST	49704	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:05.055696964 CEST	443	49704	15.204.31.59	192.168.2.16
Jul 4, 2024 23:50:09.848066092 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:09.848126888 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:09.848216057 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:09.848438025 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:09.848468065 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:11.306333065 CEST	49673	443	192.168.2.16	204.79.197.203
Jul 4, 2024 23:50:11.536525011 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:11.536935091 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:11.536979914 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:11.537837982 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:11.537925959 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:11.538902044 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:11.538964987 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:11.592936039 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:11.592958927 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:11.611124992 CEST	49673	443	192.168.2.16	204.79.197.203
Jul 4, 2024 23:50:11.640948057 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:12.216860056 CEST	49673	443	192.168.2.16	204.79.197.203
Jul 4, 2024 23:50:13.424885988 CEST	49673	443	192.168.2.16	204.79.197.203
Jul 4, 2024 23:50:15.827888966 CEST	49673	443	192.168.2.16	204.79.197.203
Jul 4, 2024 23:50:16.635178089 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:16.635207891 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:16.635298014 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:16.636924028 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:16.636934042 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.274279118 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.274386883 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.277426958 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.277434111 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.277650118 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.330883980 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.335148096 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.380496025 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.492320061 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:17.492373943 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:17.492466927 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:17.493437052 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:17.493452072 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:17.548240900 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.548259020 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.548266888 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.548297882 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.548312902 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.548325062 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.548357010 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.548367977 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.548386097 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.548410892 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.549251080 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.549320936 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.549324989 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.549937010 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.549979925 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.560005903 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.560017109 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:17.560026884 CEST	49712	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:17.560031891 CEST	443	49712	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:18.187351942 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.187427998 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.190124035 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.190135956 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.190336943 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.227121115 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.268507957 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.468324900 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.468364954 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.468451023 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.468519926 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.468537092 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.468554974 CEST	49713	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.468559980 CEST	443	49713	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.500243902 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.500272989 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:18.500380039 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.500626087 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:18.500646114 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.181941032 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.182049990 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:19.183434963 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:19.183448076 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.183681965 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.184740067 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:19.228504896 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.464186907 CEST	49678	443	192.168.2.16	20.189.173.10
Jul 4, 2024 23:50:19.467243910 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.467294931 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.467530966 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:19.468118906 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:19.468141079 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.468153000 CEST	49714	443	192.168.2.16	184.28.90.27
Jul 4, 2024 23:50:19.468158960 CEST	443	49714	184.28.90.27	192.168.2.16
Jul 4, 2024 23:50:19.765899897 CEST	49678	443	192.168.2.16	20.189.173.10
Jul 4, 2024 23:50:20.370897055 CEST	49678	443	192.168.2.16	20.189.173.10
Jul 4, 2024 23:50:20.401230097 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:20.401284933 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:20.401345968 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:20.642879963 CEST	49673	443	192.168.2.16	204.79.197.203
Jul 4, 2024 23:50:21.220196009 CEST	49708	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:50:21.220244884 CEST	443	49708	216.58.206.68	192.168.2.16
Jul 4, 2024 23:50:21.586030960 CEST	49678	443	192.168.2.16	20.189.173.10
Jul 4, 2024 23:50:23.937084913 CEST	49680	80	192.168.2.16	192.229.211.108
Jul 4, 2024 23:50:23.999875069 CEST	49678	443	192.168.2.16	20.189.173.10
Jul 4, 2024 23:50:24.239916086 CEST	49680	80	192.168.2.16	192.229.211.108
Jul 4, 2024 23:50:24.845917940 CEST	49680	80	192.168.2.16	192.229.211.108
Jul 4, 2024 23:50:26.060398102 CEST	49680	80	192.168.2.16	192.229.211.108
Jul 4, 2024 23:50:28.465920925 CEST	49680	80	192.168.2.16	192.229.211.108
Jul 4, 2024 23:50:28.800935984 CEST	49678	443	192.168.2.16	20.189.173.10
Jul 4, 2024 23:50:30.250909090 CEST	49673	443	192.168.2.16	204.79.197.203
Jul 4, 2024 23:50:33.268945932 CEST	49680	80	192.168.2.16	192.229.211.108
Jul 4, 2024 23:50:35.059011936 CEST	49704	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:35.059120893 CEST	443	49704	15.204.31.59	192.168.2.16
Jul 4, 2024 23:50:35.059207916 CEST	49704	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:36.086976051 CEST	49716	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:36.087013960 CEST	443	49716	15.204.31.59	192.168.2.16
Jul 4, 2024 23:50:36.087080956 CEST	49716	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:36.087414980 CEST	49717	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:36.087444067 CEST	443	49717	15.204.31.59	192.168.2.16
Jul 4, 2024 23:50:36.087505102 CEST	49717	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:36.087654114 CEST	49716	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:36.087668896 CEST	443	49716	15.204.31.59	192.168.2.16
Jul 4, 2024 23:50:36.087826014 CEST	49717	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:50:36.087837934 CEST	443	49717	15.204.31.59	192.168.2.16
Jul 4, 2024 23:50:38.403953075 CEST	49678	443	192.168.2.16	20.189.173.10
Jul 4, 2024 23:50:42.876949072 CEST	49680	80	192.168.2.16	192.229.211.108
Jul 4, 2024 23:50:54.070292950 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.070334911 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.070425034 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.070753098 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.070765018 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.670826912 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.670912027 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.672415972 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.672430992 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.672640085 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.673953056 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.720508099 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.724114895 CEST	49697	80	192.168.2.16	93.184.221.240
Jul 4, 2024 23:50:54.724178076 CEST	49698	80	192.168.2.16	93.184.221.240
Jul 4, 2024 23:50:54.729218960 CEST	80	49697	93.184.221.240	192.168.2.16
Jul 4, 2024 23:50:54.729268074 CEST	49697	80	192.168.2.16	93.184.221.240
Jul 4, 2024 23:50:54.729585886 CEST	80	49698	93.184.221.240	192.168.2.16
Jul 4, 2024 23:50:54.729630947 CEST	49698	80	192.168.2.16	93.184.221.240
Jul 4, 2024 23:50:54.886399031 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.886419058 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.886432886 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.886518002 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.886531115 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.886584044 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.888772011 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.888812065 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.888832092 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.888839006 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.888854980 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.888869047 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.888906956 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.889060020 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.889070988 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:50:54.889095068 CEST	49718	443	192.168.2.16	20.12.23.50
Jul 4, 2024 23:50:54.889098883 CEST	443	49718	20.12.23.50	192.168.2.16
Jul 4, 2024 23:51:06.096627951 CEST	49716	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:06.096632004 CEST	49717	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:06.096748114 CEST	443	49716	15.204.31.59	192.168.2.16
Jul 4, 2024 23:51:06.096754074 CEST	443	49717	15.204.31.59	192.168.2.16
Jul 4, 2024 23:51:06.096817970 CEST	49716	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:06.096834898 CEST	49717	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:09.884983063 CEST	49720	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:51:09.885020018 CEST	443	49720	216.58.206.68	192.168.2.16
Jul 4, 2024 23:51:09.885108948 CEST	49720	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:51:09.885334015 CEST	49720	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:51:09.885345936 CEST	443	49720	216.58.206.68	192.168.2.16
Jul 4, 2024 23:51:10.529436111 CEST	443	49720	216.58.206.68	192.168.2.16
Jul 4, 2024 23:51:10.529776096 CEST	49720	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:51:10.529791117 CEST	443	49720	216.58.206.68	192.168.2.16
Jul 4, 2024 23:51:10.530071974 CEST	443	49720	216.58.206.68	192.168.2.16
Jul 4, 2024 23:51:10.530363083 CEST	49720	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:51:10.530415058 CEST	443	49720	216.58.206.68	192.168.2.16
Jul 4, 2024 23:51:10.571048021 CEST	49720	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:51:11.121649027 CEST	49721	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:11.121687889 CEST	443	49721	15.204.31.59	192.168.2.16
Jul 4, 2024 23:51:11.121773958 CEST	49721	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:11.122015953 CEST	49722	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:11.122023106 CEST	443	49722	15.204.31.59	192.168.2.16
Jul 4, 2024 23:51:11.122076035 CEST	49722	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:11.122221947 CEST	49721	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:11.122232914 CEST	443	49721	15.204.31.59	192.168.2.16
Jul 4, 2024 23:51:11.122368097 CEST	49722	443	192.168.2.16	15.204.31.59
Jul 4, 2024 23:51:11.122376919 CEST	443	49722	15.204.31.59	192.168.2.16
Jul 4, 2024 23:51:20.434088945 CEST	443	49720	216.58.206.68	192.168.2.16
Jul 4, 2024 23:51:20.434158087 CEST	443	49720	216.58.206.68	192.168.2.16
Jul 4, 2024 23:51:20.434215069 CEST	49720	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:51:21.224535942 CEST	49720	443	192.168.2.16	216.58.206.68
Jul 4, 2024 23:51:21.224555969 CEST	443	49720	216.58.206.68	192.168.2.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 23:50:05.022839069 CEST	58848	53	192.168.2.16	1.1.1.1
Jul 4, 2024 23:50:05.022955894 CEST	60900	53	192.168.2.16	1.1.1.1
Jul 4, 2024 23:50:05.029706001 CEST	53	50567	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:05.049390078 CEST	53	60900	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:05.051484108 CEST	53	58848	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:05.063359976 CEST	53	50219	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:06.090445995 CEST	53	52889	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:09.829920053 CEST	49641	53	192.168.2.16	1.1.1.1
Jul 4, 2024 23:50:09.830061913 CEST	55674	53	192.168.2.16	1.1.1.1
Jul 4, 2024 23:50:09.842639923 CEST	53	55674	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:09.847179890 CEST	53	49641	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:23.033102989 CEST	53	49419	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:34.931026936 CEST	53	57376	1.1.1.1	192.168.2.16
Jul 4, 2024 23:50:41.807885885 CEST	53	57887	1.1.1.1	192.168.2.16
Jul 4, 2024 23:51:04.729269981 CEST	53	53951	1.1.1.1	192.168.2.16
Jul 4, 2024 23:51:04.992120028 CEST	53	58039	1.1.1.1	192.168.2.16
Jul 4, 2024 23:51:15.642877102 CEST	138	138	192.168.2.16	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 4, 2024 23:50:05.022839069 CEST	192.168.2.16	1.1.1.1	0xc268	Standard query (0)	www3.hownd.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 23:50:05.022955894 CEST	192.168.2.16	1.1.1.1	0xaf00	Standard query (0)	www3.hownd.com	65	IN (0x0001)	false
Jul 4, 2024 23:50:09.829920053 CEST	192.168.2.16	1.1.1.1	0xc583	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 23:50:09.830061913 CEST	192.168.2.16	1.1.1.1	0x5e26	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 4, 2024 23:50:05.049390078 CEST	1.1.1.1	192.168.2.16	0xaf00	No error (0)	www3.hownd.com	fcqoppoiwww3.mycorpprovider.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 4, 2024 23:50:05.051484108 CEST	1.1.1.1	192.168.2.16	0xc268	No error (0)	www3.hownd.com	fcqoppoiwww3.mycorpprovider.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 4, 2024 23:50:05.051484108 CEST	1.1.1.1	192.168.2.16	0xc268	No error (0)	fcqoppoiwww3.mycorpprovider.com	mainlb.mycorpprovider.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 4, 2024 23:50:05.051484108 CEST	1.1.1.1	192.168.2.16	0xc268	No error (0)	mainlb.mycorpprovider.com		15.204.31.59	A (IP address)	IN (0x0001)	false
Jul 4, 2024 23:50:09.842639923 CEST	1.1.1.1	192.168.2.16	0x5e26	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 4, 2024 23:50:09.847179890 CEST	1.1.1.1	192.168.2.16	0xc583	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49712	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-07-04 21:50:17 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+Fhaa8S9znhtBdD&MD=1KgRtc2y HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-04 21:50:17 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: f9c84747-2e17-463c-81a8-359b3bdc8e1f MS-RequestId: 8594b72f-1ab9-471b-95d6-b875718a0de3 MS-CV: pAVr8MoPE0myvXNC.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 04 Jul 2024 21:50:16 GMT Connection: close Content-Length: 24490
2024-07-04 21:50:17 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-07-04 21:50:17 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49713	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-07-04 21:50:18 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-04 21:50:18 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0758) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=33224 Date: Thu, 04 Jul 2024 21:50:18 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49714	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-07-04 21:50:19 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-04 21:50:19 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=33244 Date: Thu, 04 Jul 2024 21:50:19 GMT Content-Length: 55 Connection: close X-CID: 2
2024-07-04 21:50:19 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.16	49718	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-07-04 21:50:54 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+Fhaa8S9znhtBdD&MD=1KgRtc2y HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-04 21:50:54 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 8272c2ea-1877-4ec2-85ea-c70778ff4ba8 MS-RequestId: aea4a038-764b-47cb-8c9a-6e36faa31a21 MS-CV: 66D76YyYJkSifa6N.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 04 Jul 2024 21:50:54 GMT Connection: close Content-Length: 30005
2024-07-04 21:50:54 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-07-04 21:50:54 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 6896, Parent PID: 3900

General

Target ID:	0
Start time:	17:50:02
Start date:	04/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6360, Parent PID: 6896

General

Target ID:	1
Start time:	17:50:03
Start date:	04/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1876,i,5848461165673472631,14503253527738666784,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6896, Parent PID: 3900

General

Chronological Activities

Analysis Process: chrome.exePID: 6360, Parent PID: 6896

General

Chronological Activities

Disassembly

Windows Analysis Report
https://www3.hownd.com/go?s=Qv0FObPLnDm_z0vXeQVYT_YiwJnPLOFHrkdlluc1NkDk-6Gp5q43EPz2cFAbSUj6MHz814Al_ASv8pHvMlX2Vn768MdU8GYnzxsFrQ==