Edit tour

Windows Analysis Report
ACH Payment Details_(Dcorbett)CQDM.html

Overview

General Information

Sample name:	ACH Payment Details_(Dcorbett)CQDM.html
Analysis ID:	1512758
MD5:	7978ed6fd79314c9a4de374eb890e35c
SHA1:	72aea05b419b6a3f1edb28c1204a12fac7e44dad
SHA256:	9a4a5655f0ea0a9c3660636ddd73b2006d2e122a19cb2062fd5789ea07be3f67
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

HTML document with suspicious name

HTML page contains suspicious javascript code

Suspicious Javascript code found in HTML file

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTML page contains hidden javascript code

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

chrome.exe (PID: 1436 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ACH Payment Details_(Dcorbett)CQDM.html" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=1924,i,2439778999610996347,7255612292561947748,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Phishing
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg=#dcorbett@eabcoinc.com

SlashNext: Label: Credential Stealing type: Phishing & Social usering

Phishing

HTML page contains suspicious javascript code

Source: file:///C:/Users/user/Desktop/ACH%20Payment%20Details_(Dcorbett)CQDM.html

HTTP Parser: window.location.href = atob(

Suspicious Javascript code found in HTML file

Source: ACH Payment Details_(Dcorbett)CQDM.html	HTTP Parser: location.href
Source: ACH Payment Details_(Dcorbett)CQDM.html	HTTP Parser: .location
Source: ACH Payment Details_(Dcorbett)CQDM.html	HTTP Parser: .location

Source: ACH Payment Details_(Dcorbett)CQDM.html

HTTP Parser: Base64 decoded: https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg=

Source: ACH Payment Details_(Dcorbett)CQDM.html

HTTP Parser: No favicon

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\LICENSE.txt

Jump to behavior

Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:51977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:51980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:51985 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.6:51974 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.7.2.167
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: global traffic	HTTP traffic detected: GET /o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg= HTTP/1.1Host: medconsol.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: medconsol.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gK+YWdsELcLhrVY&MD=7StHGpxG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gK+YWdsELcLhrVY&MD=7StHGpxG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: medconsol.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: optimization-hints.pb.0.dr	String found in binary or memory: https://123milhas.com/v2/busca/confirmacao-pedido/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://checkout-new.dafiti.com.br/success/index.html.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://checkout.casasbahia.com.br/compra-finalizada
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://checkout.extra.com.br/compra-finalizada
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://checkout.pontofrio.com.br/compra-finalizada
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://comprasegura.olx.com.br/
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://comprasegura.olx.com.br/pedidos/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://dump-truck.appspot.com/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://easylist.to/)
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://emv-qr.googleplex.com/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://github.com/easylist)
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://google-wallet-ccr-salvador.pagmob.com.br/pay
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://m.aliexpress.com/p/second-payment/pay-result.html?.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://m.americanas.com.br/compra/pix.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://rsolomakhin.github.io/pix/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://sacolamobile.magazineluiza.com.br/#/comprovante
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://secure.epocacosmeticos.com.br/checkout/#/payment.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://secure.vivara.com.br/checkout?orderFormId=.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://shopee.com.br/payment/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.amazon.com.br/gp/buy/thankyou/handlers/display.html
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.anacapri.com.br/checkout/order-confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.arezzo.com.br/checkout/order-confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.centauro.com.br/checkouts/confirmacao/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.cobasi.com.br/checkout/review.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.elo7.com.br/buyer/order/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.fastshop.com.br/web/checkout-v2/pagamento/confirmacao.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.hering.com.br/checkout/#/payment
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.hurb.com/br/pay/checkout/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.ifood.com.br/pedidos/aguardando-pagamento/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.madeiramadeira.com.br/carrinho/finalizar-pedido/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.motorola.com.br/checkout/#/payment
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.natura.com.br/pedido-concluido/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.netshoes.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.paodeacucar.com/checkout.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.petz.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.riachuelo.com.br/successpage
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.schutz.com.br/checkout/order-confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.sephora.com.br/checkout/success/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.ultrafarma.com.br/checkout/confirmacao/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.zattini.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.zzmall.com.br/checkout/order-confirmation/.

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 51977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51980
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51985
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51977
Source: unknown	Network traffic detected: HTTP traffic on port 51980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 51976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51976
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:51977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.2.167:443 -> 192.168.2.6:51980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:51985 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: ACH Payment Details_(Dcorbett)CQDM.html

Initial sample: payment

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\cr_en-us_500000_index.bin	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\optimization-hints.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll.sig	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_1436_1572552197

Jump to behavior

Source: widevinecdm.dll.0.dr	Static PE information: Number of sections : 13 > 10
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: Number of sections : 12 > 10

Source: classification engine

Classification label: mal60.phis.winHTML@36/32@4/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ACH Payment Details_(Dcorbett)CQDM.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=1924,i,2439778999610996347,7255612292561947748,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=1924,i,2439778999610996347,7255612292561947748,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.0.dr	Static PE information: section name: .00cfg
Source: widevinecdm.dll.0.dr	Static PE information: section name: .gxfg
Source: widevinecdm.dll.0.dr	Static PE information: section name: .retplne
Source: widevinecdm.dll.0.dr	Static PE information: section name: .rodata
Source: widevinecdm.dll.0.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.0.dr	Static PE information: section name: malloc_h

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\Google.Widevine.CDM.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\Google.Widevine.CDM.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\LICENSE.txt

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll	0%	ReversingLabs
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\Google.Widevine.CDM.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg=#dcorbett@eabcoinc.com	100%	SlashNext	Credential Stealing type: Phishing & Social usering
https://secure.vivara.com.br/checkout?orderFormId=.	0%	Avira URL Cloud	safe
https://google-wallet-ccr-salvador.pagmob.com.br/pay	0%	Avira URL Cloud	safe
https://www.elo7.com.br/buyer/order/.	0%	Avira URL Cloud	safe
https://www.hurb.com/br/pay/checkout/.	0%	Avira URL Cloud	safe
https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg=	0%	Avira URL Cloud	safe
https://www.ifood.com.br/pedidos/aguardando-pagamento/.	0%	Avira URL Cloud	safe
https://www.riachuelo.com.br/successpage	0%	Avira URL Cloud	safe
https://comprasegura.olx.com.br/pedidos/.	0%	Avira URL Cloud	safe
https://www.sephora.com.br/checkout/success/.	0%	Avira URL Cloud	safe
https://secure.epocacosmeticos.com.br/checkout/#/payment.	0%	Avira URL Cloud	safe
https://easylist.to/)	0%	Avira URL Cloud	safe
https://checkout-new.dafiti.com.br/success/index.html.	0%	Avira URL Cloud	safe
https://checkout.extra.com.br/compra-finalizada	0%	Avira URL Cloud	safe
https://www.madeiramadeira.com.br/carrinho/finalizar-pedido/.	0%	Avira URL Cloud	safe
https://dump-truck.appspot.com/.	0%	Avira URL Cloud	safe
https://creativecommons.org/compatiblelicenses	0%	Avira URL Cloud	safe
https://medconsol.com/favicon.ico	0%	Avira URL Cloud	safe
https://www.amazon.com.br/gp/buy/thankyou/handlers/display.html	0%	Avira URL Cloud	safe
https://checkout.casasbahia.com.br/compra-finalizada	0%	Avira URL Cloud	safe
https://www.petz.com.br/checkout/confirmation/.	0%	Avira URL Cloud	safe
https://github.com/easylist)	0%	Avira URL Cloud	safe
https://shopee.com.br/payment/.	0%	Avira URL Cloud	safe
https://www.motorola.com.br/checkout/#/payment	0%	Avira URL Cloud	safe
https://rsolomakhin.github.io/pix/.	0%	Avira URL Cloud	safe
https://creativecommons.org/.	0%	Avira URL Cloud	safe
https://www.zattini.com.br/checkout/confirmation/.	0%	Avira URL Cloud	safe
https://www.natura.com.br/pedido-concluido/.	0%	Avira URL Cloud	safe
https://www.hering.com.br/checkout/#/payment	0%	Avira URL Cloud	safe
https://www.ultrafarma.com.br/checkout/confirmacao/.	0%	Avira URL Cloud	safe
https://checkout.pontofrio.com.br/compra-finalizada	0%	Avira URL Cloud	safe
https://www.cobasi.com.br/checkout/review.	0%	Avira URL Cloud	safe
https://www.anacapri.com.br/checkout/order-confirmation/.	0%	Avira URL Cloud	safe
https://emv-qr.googleplex.com/.	0%	Avira URL Cloud	safe
https://www.schutz.com.br/checkout/order-confirmation/.	0%	Avira URL Cloud	safe
https://www.centauro.com.br/checkouts/confirmacao/.	0%	Avira URL Cloud	safe
https://www.paodeacucar.com/checkout.	0%	Avira URL Cloud	safe
https://www.netshoes.com.br/checkout/confirmation/.	0%	Avira URL Cloud	safe
https://123milhas.com/v2/busca/confirmacao-pedido/.	0%	Avira URL Cloud	safe
https://m.americanas.com.br/compra/pix.	0%	Avira URL Cloud	safe
https://www.arezzo.com.br/checkout/order-confirmation/.	0%	Avira URL Cloud	safe
https://comprasegura.olx.com.br/	0%	Avira URL Cloud	safe
https://sacolamobile.magazineluiza.com.br/#/comprovante	0%	Avira URL Cloud	safe
https://www.fastshop.com.br/web/checkout-v2/pagamento/confirmacao.	0%	Avira URL Cloud	safe
https://www.zzmall.com.br/checkout/order-confirmation/.	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
medconsol.com	95.217.116.67	true	false		unknown
www.google.com	142.250.185.228	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg=	false	Avira URL Cloud: safe	unknown
https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg=#dcorbett@eabcoinc.com	true	SlashNext: Credential Stealing type: Phishing & Social usering	unknown
https://medconsol.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://google-wallet-ccr-salvador.pagmob.com.br/pay	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.hurb.com/br/pay/checkout/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.sephora.com.br/checkout/success/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.ifood.com.br/pedidos/aguardando-pagamento/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.riachuelo.com.br/successpage	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://comprasegura.olx.com.br/pedidos/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.vivara.com.br/checkout?orderFormId=.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.epocacosmeticos.com.br/checkout/#/payment.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.elo7.com.br/buyer/order/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://checkout.extra.com.br/compra-finalizada	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://easylist.to/)	LICENSE.txt.0.dr	false	Avira URL Cloud: safe	unknown
https://checkout-new.dafiti.com.br/success/index.html.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.madeiramadeira.com.br/carrinho/finalizar-pedido/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://dump-truck.appspot.com/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://creativecommons.org/compatiblelicenses	LICENSE.txt.0.dr	false	Avira URL Cloud: safe	unknown
https://www.petz.com.br/checkout/confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://checkout.casasbahia.com.br/compra-finalizada	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.amazon.com.br/gp/buy/thankyou/handlers/display.html	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/easylist)	LICENSE.txt.0.dr	false	Avira URL Cloud: safe	unknown
https://shopee.com.br/payment/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.motorola.com.br/checkout/#/payment	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://creativecommons.org/.	LICENSE.txt.0.dr	false	Avira URL Cloud: safe	unknown
https://www.cobasi.com.br/checkout/review.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.zattini.com.br/checkout/confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://rsolomakhin.github.io/pix/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.ultrafarma.com.br/checkout/confirmacao/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.hering.com.br/checkout/#/payment	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://checkout.pontofrio.com.br/compra-finalizada	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.natura.com.br/pedido-concluido/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.anacapri.com.br/checkout/order-confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.schutz.com.br/checkout/order-confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://emv-qr.googleplex.com/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.centauro.com.br/checkouts/confirmacao/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.netshoes.com.br/checkout/confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://123milhas.com/v2/busca/confirmacao-pedido/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.paodeacucar.com/checkout.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.arezzo.com.br/checkout/order-confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://comprasegura.olx.com.br/	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://m.americanas.com.br/compra/pix.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://sacolamobile.magazineluiza.com.br/#/comprovante	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.fastshop.com.br/web/checkout-v2/pagamento/confirmacao.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.zzmall.com.br/checkout/order-confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
95.217.116.67	medconsol.com	Germany	24940	HETZNER-ASDE	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.18
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1512758
Start date and time:	2024-09-17 20:24:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ACH Payment Details_(Dcorbett)CQDM.html
Detection:	MAL
Classification:	mal60.phis.winHTML@36/32@4/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.195, 108.177.15.84, 142.250.186.46, 34.104.35.123, 216.58.206.42, 142.250.74.202, 142.250.184.234, 142.250.185.170, 142.250.185.106, 142.250.186.170, 142.250.186.74, 142.250.186.138, 216.58.206.74, 142.250.185.138, 142.250.181.234, 142.250.185.202, 142.250.185.74, 142.250.184.202, 142.250.185.234, 216.58.212.138, 192.229.221.95, 199.232.210.172, 216.58.206.35, 142.250.186.174, 172.217.16.195
Excluded domains from analysis (whitelisted): clients1.google.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: ACH Payment Details_(Dcorbett)CQDM.html

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	http://www.fmovies.poker/mo	Get hash	malicious	Phisher	Browse
	Play_VM-Now(Marketing)CLQD.html	Get hash	malicious	HTMLPhisher	Browse
	https://parking3.parklogic.com/page/scribe.php?pcId=12&domain=meetrachelcook.com&pId=130&usid=27&utid=7979539826&query=null&domainJs=ww12.meetrachelcook.com&path=/&ss=true&lp=1	Get hash	malicious	Unknown	Browse
	https://u.to/UKDgIA	Get hash	malicious	Unknown	Browse
	https://entertechfusionr.pl/d4YW/	Get hash	malicious	Unknown	Browse
	https://rumzz.com/wordpress/wp-admin/arull.php?7112797967704b536932307464507a53744a4c53704a7a4d7a4c4262497953704e4b55704d7a696c4c31436f727939664e79536b4e533941453dEMAILBASE64	Get hash	malicious	Phisher	Browse
	Purchase Specifications.html	Get hash	malicious	Unknown	Browse
	https://psafetysolutions.com/wp-admin/images/wfgth.php	Get hash	malicious	Unknown	Browse
	https://linklock.titanhq.com/analyse?url=https%3A%2F%2Femaze.me%2Fzinninsurance%23untitled2&data=eJxdjMEKwjAQRL-mOYa20RgPOXgpVUT8hbgJGEw2ZbNB6NebszCHN_BmwGp1Pk1HbUZtzCS8hYK1JQYXSELJItv5vj4q4fN6W7-iWiqviMNhpOY_ETcqvgHHvpIYWJCFlEtCR135_2r2zbzVQV2GeekJ2e1B5tBxj4ix2-QQelcNOXIKfv4BXds4OQ%%	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	doc_Pedido 02024091622008176.com.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	https://www.google.com/url?q=https%3A%2F%2Fgoo.gl%2Fotzvm%236%261afkvs	Get hash	malicious	Unknown	Browse	136.243.216.232
	Unlock_Tool_5.8.exe	Get hash	malicious	Vidar	Browse	91.107.146.245
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	91.107.146.245
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	91.107.146.245
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	91.107.146.245
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	91.107.146.245
	http://harshayerneni.github.io/Netflix-clone	Get hash	malicious	Unknown	Browse	78.46.22.25
	SecuriteInfo.com.Win32.MalwareX-gen.8690.29614.exe	Get hash	malicious	LummaC, Vidar	Browse	91.107.146.245

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://www.fmovies.poker/mo	Get hash	malicious	Phisher	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	Play_VM-Now(Marketing)CLQD.html	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	https://parking3.parklogic.com/page/scribe.php?pcId=12&domain=meetrachelcook.com&pId=130&usid=27&utid=7979539826&query=null&domainJs=ww12.meetrachelcook.com&path=/&ss=true&lp=1	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	https://u.to/UKDgIA	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	Purchase Specifications.html	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	https://psafetysolutions.com/wp-admin/images/wfgth.php	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	https://linklock.titanhq.com/analyse?url=https%3A%2F%2Femaze.me%2Fzinninsurance%23untitled2&data=eJxdjMEKwjAQRL-mOYa20RgPOXgpVUT8hbgJGEw2ZbNB6NebszCHN_BmwGp1Pk1HbUZtzCS8hYK1JQYXSELJItv5vj4q4fN6W7-iWiqviMNhpOY_ETcqvgHHvpIYWJCFlEtCR135_2r2zbzVQV2GeekJ2e1B5tBxj4ix2-QQelcNOXIKfv4BXds4OQ%%	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	https://hytechsms.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVVFWXpjMHM9JnVpZD1VU0VSMTMwOTIwMjRVMDYwOTEzMTQ=	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	https://livechat-helpcenter.web.app/	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 40.127.169.103 184.28.90.27
	http://fswcf.org	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103 184.28.90.27
3b5074b1b5d032e5620f69f9f700ff0e	https://psafetysolutions.com/wp-admin/images/wfgth.php	Get hash	malicious	Unknown	Browse	20.7.2.167 40.113.103.199
	#29469O204.exe	Get hash	malicious	AgentTesla	Browse	20.7.2.167 40.113.103.199
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	20.7.2.167 40.113.103.199
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	20.7.2.167 40.113.103.199
	doc_Pedido 02024091622008176.com.exe	Get hash	malicious	Quasar	Browse	20.7.2.167 40.113.103.199
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	20.7.2.167 40.113.103.199
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	20.7.2.167 40.113.103.199
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	20.7.2.167 40.113.103.199
	https://hytechsms.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVVFWXpjMHM9JnVpZD1VU0VSMTMwOTIwMjRVMDYwOTEzMTQ=	Get hash	malicious	Unknown	Browse	20.7.2.167 40.113.103.199
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	20.7.2.167 40.113.103.199

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll	doc_inv_09-12#965.pdf	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	svAsYrT598.exe	Get hash	malicious	Unknown	Browse
	kc8qrDHj1V.exe	Get hash	malicious	Unknown	Browse
	https://atiguesconstruction-my.sharepoint.com/:f:/g/personal/nartigues_artiguesconstruction_com/Elezf74k885Bs1Su18MKsokBXolnLvxbVc_Ow6itYDUEWA?e=J4Wars	Get hash	malicious	HTMLPhisher	Browse
	Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	t4xSDtqF.posh.ps1	Get hash	malicious	PoshC2	Browse
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\Google.Widevine.CDM.dll	https://www.evernote.com/shard/s671/sh/88c43bb7-39ed-181c-8762-a93c29b8964c/RwXFyGOLohKtNQuZxCAYTGpQKjGhTFOmIRmtBJq1Nd94sQRYOE3VH9kInw	Get hash	malicious	Unknown	Browse
	https://funnelverse.com/wp-includes/css/americanexpress/nDw8DT	Get hash	malicious	HTMLPhisher	Browse
	https://securemessage.zeriother.com/Ns15ny/#bWljaGFlbG1AdGl0bGVmb3J3YXJkLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bn%C2%ADu%C2%ADj%C2%ADo%C2%ADo%C2%ADm.%E2%80%8Ba%C2%ADi%2Fass%2Flol%2FXMMW7MOtnsvMJxHlCZqfQT3E/YW1jZWxob25lQHJlbGlhYmxlY29udHJvbHMuY29t	Get hash	malicious	Unknown	Browse
	https://work-serve.onrender.com/	Get hash	malicious	Unknown	Browse
	Play_VM-Now(Securustechnologies)CLQD.html	Get hash	malicious	Unknown	Browse
	doc_inv_09-12#965.pdf	Get hash	malicious	Unknown	Browse
	https://reviewscope.s3.us-east-005.backblazeb2.com/info.htm	Get hash	malicious	Unknown	Browse
	choihoon5494-attachmnt.shtml	Get hash	malicious	Unknown	Browse
	https://www.printfriendly.com/pdf-viewer/ee2756274c5d3523578f19904ea0d202.pdf?ids%5B%5D=ee2756274c5d3523578f19904ea0d202.pdf	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\Filtering Rules

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	74272
Entropy (8bit):	5.535436646838848
Encrypted:	false
SSDEEP:	1536:GB9Cdg51kGLmOSe1pEQHdPr4l0TmmJ2I7CwguaRZrgMQUavJX5vwKf:Sok1RLtb1ptdPrYk1J2IPguangMQ3X5P
MD5:	B23DD5B6ECCB460003EA37BA0F5E3730
SHA1:	FD444553CB7699F84CE7E5664232771673DCF67D
SHA-256:	7F7F432C27D97DEE184DCD3EA20F731674C008BE849C0136F9C5358E359F3EA9
SHA-512:	7E47BD172C4BD4C65F063A8FA3FB33ED47F29156EB20E42D4E8EA73C6F02526A30FFE907BE5B7C1406D4EAA71FBEC7C0D557C376DCCD0A1A961E2F61B3431181
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.yomeno.xyz^..........0.8.@.R.yellowblue.io^..........0.8.@.R.thubanoa.com^..........0.8.@.R.ad999.biz^..........0.8.@.R._468_60...........0.8.@.R.adrecover.com^..........0.8.@.R.pemsrv.com^..........0.8.@.R.mnaspm.com^..........0.8.@.R..ar/ads/."......0.8.@.R./plugins/cactus-ads/.,........0.8.@.R.mysmth.net/nForum//ADAgent_.>...........worldstar.com0.8.@.R.js.assemblyexchange.com/wana...........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^.(........0.8.@.R.shikoku-np.co.jp/img/ad/..........0.8.@.R./banner.cgi?..........0.8.@.R./in/track?data=.!......0.8.@.R.linkbucks.com/tmpl/..........0.8.@.R.clicktripz.com^..........0.8.@.R.-ad-manager/..........0.8.@.R./page-links-to/dist/new-tab.js........0.8.@.R.files.slack.com^.$........0.8.@.R.admitad-connect.com^.2........0.8.@.R"cloudfront.net/js/common/invoke.js..........0.8

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\LICENSE.txt

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24623
Entropy (8bit):	4.588307081140814
Encrypted:	false
SSDEEP:	384:mva5sf5dXrCN7tnBxpxkepTqzazijFgZk231Py9zD6WApYbm0:mvagXreRnTqzazWgj0v6XqD
MD5:	D33AAA5246E1CE0A94FA15BA0C407AE2
SHA1:	11D197ACB61361657D638154A9416DC3249EC9FB
SHA-256:	1D4FF95CE9C6E21FE4A4FF3B41E7A0DF88638DD449D909A7B46974D3DFAB7311
SHA-512:	98B1B12FF0991FD7A5612141F83F69B86BC5A89DD62FC472EE5971817B7BBB612A034C746C2D81AE58FDF6873129256A89AA8BB7456022246DC4515BAAE2454B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	EasyList Repository Licences.... Unless otherwise noted, the contents of the EasyList repository.. (https://github.com/easylist) is dual licensed under the GNU General.. Public License version 3 of the License, or (at your option) any later.. version, and Creative Commons Attribution-ShareAlike 3.0 Unported, or.. (at your option) any later version. You may use and/or modify the files.. as permitted by either licence; if required, "The EasyList authors.. (https://easylist.to/)" should be attributed as the source of the.. material. All relevant licence files are included in the repository..... Please be aware that files hosted externally and referenced in the.. repository, including but not limited to subscriptions other than.. EasyList, EasyPrivacy, EasyList Germany and EasyList Italy, may be.. available under other conditions; permission must be granted by the.. respective copyright holders to authorise the use of their material.......Creative Commons Attribut

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1529
Entropy (8bit):	5.990179229242317
Encrypted:	false
SSDEEP:	24:pZRj/flTHYe1DxxpTkYbKCCojeT31zkaoX63wMHF48I31RwCCyqoX6kyKlklyJqw:p/h4YDxxlbKlTlkakgPLI3hCyqkwnlKD
MD5:	2FF08C4B4128F634CBBFEA0C1C44AA2E
SHA1:	45D11E57DDF29E843AC8545C7D06CDDB5DF3E962
SHA-256:	33B6F2ECD5FB7F9FAF538F29808716EFA337A653809943A8E4B5E450B734DA09
SHA-512:	14BD9E921E1DB9AC8720C1177897DB624292865D29B976ED9CCCEE572726D7D123A8F39E470987DF796AE0552861FBAE056CDB395F0CB8B0E699C28F5E221999
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJGaWx0ZXJpbmcgUnVsZXMiLCJyb290X2hhc2giOiJpQTVSR2RtNXU1ZjM2ZTJ0QlhPcmJEcEJQX0NxTFc1VW9GZ0NTQ0diU01rIn0seyJwYXRoIjoiTElDRU5TRS50eHQiLCJyb290X2hhc2giOiIyaWswNmk0TFlCdVNHNWphRGFIS253NE9pdnVSRzZsQ0JKMVk0TGtzRFJJIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6IkZ3Q2hIOUhsZzJlMFVLUWJLdVg5SnV5MXpiUlpocHg1YkgzZUdQSFREM00ifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJnY21qa21nZGxnbmtrY29jbW9laW1pbmFpam1tam5paSIsIml0ZW1fdmVyc2lvbiI6IjkuNTEuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"ifBoq-woYhqxB78EqRoo2fPRIEfkuykYMlD9kWeeG2QS6-R5YvGNJ9n5OljLXGjvK5U3MDFRLi-UCguxuUaoFjU_QeSCiOLxvDS5JHdk8Bbba8fCW6ZKnH_fvocQD8W7Hj0reH3gOPmD7sIraz8IvG86GRuGPqsxbgc_BRtOCa5KRgqaxfjt7tKlOtaUoO3_qsNlf_8F8k0tNZh131RRIEaXw53z3ZzGpWtgYC0u6s0JKag8l

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.8568101737886993
Encrypted:	false
SSDEEP:	3:SWcgK7GtszDAAnHT:SWc97GWzDlnHT
MD5:	6DBEDE254AF8A23D6CB2ABAEA8D2E38F
SHA1:	A827D46FA5D53CB7B134F143CC15A30BA015ED21
SHA-256:	376ED55CD5AB45C0F7BAA1AF0AC2637C33DEA6D1D4683B729AE7CE764F70DAA1
SHA-512:	0F28FD8AF582C18ECCCC1321B94902501D31C4B6C1D11684780DED6217C14E1B313F58A644516F37AE69232F1C2861915337A4D84185E18124F40C629A50B7F9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1.3651711652892acf34795b2c7e4d401ed2274c20e952f65cf52deeeef5bbf9b5

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.547350270682037
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFHXG7LGMdv5HcDKhtUJKS1KPYn:F6VlMZWuMt5SKPS1eY
MD5:	3448D97DA638C7EF0FBCA9B6949FFC8F
SHA1:	36D8434F26F0316FAB4627F7856FCA7291FE8ADF
SHA-256:	1700A11FD1E58367B450A41B2AE5FD26ECB5CDB459869C796C7DDE18F1D30F73
SHA-512:	9BF9055B2EF82BD1D2A1E94009FED2D3481FE2DC336D306FA0DB786658EFA5B72C9A9A214A829B9FCC4222476051871FF012009C64F09B9109072ABDF3DEF8CC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "manifest_version": 2,. "name": "Subresource Filtering Rules",. "ruleset_format": 1,. "version": "9.51.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	6.021127689065198
Encrypted:	false
SSDEEP:	48:p/hUI1atAdI567akUmYWEFw/3+ovGJ4F3jkZUbvzk98g5m7:RnYQI47avYUwvVGJ41jkZIzxgA7
MD5:	68E6B5733E04AB7BF19699A84D8ABBC2
SHA1:	1C11F06CA1AD3ED8116D356AB9164FD1D52B5CF0
SHA-256:	F095F969D6711F53F97747371C83D5D634EAEF21C54CB1A6A1CC5B816D633709
SHA-512:	9DC5D824A55C969820D5D1FBB0CA7773361F044AE0C255E7C48D994E16CE169FCEAC3DE180A3A544EBEF32337EA535683115584D592370E5FE7D85C68B86C891
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiIyNXB3SWdtQWU2QTVoeDVVTG9OV0laODBLbzJjbktOTHpacUdjbjlLT2c4In0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiOWVza0FuRlBsM3VCQzkwUmFWakxNaVI3NXZIQi0wQUVmMmg0RzU3ZXNpcyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC44LjEwLjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"dU2MmRUQSugaJAJvEN4uaQHx-KXdOkjj0yK8_aH4Afr3kN7DPOZRt6yLTS3UchBE5M-dgPPPBuKADj4KEK4B22SO6WQquL5J27AUPqQBGgr44-iFGVJdOLLlfirFlJmcYv6DUFRYiPsQFGMr1JFqInj19jgkOxzR6qqcNuTCB0wGEMeTU80r-igCjeQG6TIzPro7yKd_-UxsxO6OGAySmlIJIoU54X0p0ATNoZyAfkhb8kb0oN8unOU

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.9159446964030753
Encrypted:	false
SSDEEP:	3:Sq5TQRaELVHecsUDBAeHD5k:Sq5gJ+csHej5k
MD5:	CFB54589424206D0AE6437B5673F498D
SHA1:	D1EF6314F0F68EFDD0BA8F6CA9E59BFF863B1609
SHA-256:	285AC183C35350B4B77332172413902F83726CA8F53D63859B5DA082FD425A1C
SHA-512:	70FDCA4A1E6B7A5FFED3414E2DB74FECA7E0FD17482B8CB30393DFEE20AB9AD2B0B00FF0C590DD0E8D744D0EAD876CE8844519AF66618ED14666BCA56DF2DA21
Malicious:	false
Preview:	1.dbf288588465463a914bdfc5e86d465fb3592b2f1261dc0e40fcc5c1adc8e7e4

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.4533115571544695
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFCmMARWHJqS1tean:F6VlM8aRWpqS1ln
MD5:	C3419069A1C30140B77045ABA38F12CF
SHA1:	11920F0C1E55CADC7D2893D1EEBB268B3459762A
SHA-256:	DB9A702209807BA039871E542E8356219F342A8D9C9CA34BCD9A86727F4A3A0F
SHA-512:	C5E95A4E9F5919CB14F4127539C4353A55C5F68062BF6F95E1843B6690CEBED3C93170BADB2412B7FB9F109A620385B0AE74783227D6813F26FF8C29074758A1
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2024.8.10.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\sets.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	9748
Entropy (8bit):	4.629326694042306
Encrypted:	false
SSDEEP:	96:Mon4mvC4qX19s1blbw/BNKLcxbdmf56MFJtRTGXvcxN43uP+8qJq:v5C4ql7BkIVmtRTGXvcxBsq
MD5:	EEA4913A6625BEB838B3E4E79999B627
SHA1:	1B4966850F1B117041407413B70BFA925FD83703
SHA-256:	20EF4DE871ECE3C5F14867C4AE8465999C7A2CC1633525E752320E61F78A373C
SHA-512:	31B1429A5FACD6787F6BB45216A4AB1C724C79438C18EBFA8C19CED83149C17783FD492A03197110A75AAF38486A9F58828CA30B58D41E0FE89DFE8BDFC8A004
Malicious:	false
Preview:	{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://citybibleforum.org","associatedSites":["https://thirdspace.org.au"]}.{"primary":"https://cognitiveai.ru","associatedSites":["https://cognitive-ai.ru"]}.{"primary":"https://drimer.io","asso

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	473
Entropy (8bit):	4.388167319950301
Encrypted:	false
SSDEEP:	6:LOT6w+DmsDZrkrDxBYRgELGNB+cIMLohXOl0t1iKR/UFioWd9+iAt4jZMeLhJoUs:iwDtVEDsCDLeelyigqBjt4eK2f55
MD5:	F6719687BED7403612EAED0B191EB4A9
SHA1:	DD03919750E45507743BD089A659E8EFCEFA7AF1
SHA-256:	AFB514E4269594234B32C873BA2CD3CC8892E836861137B531A40A1232820C59
SHA-512:	DD14A7EAE05D90F35A055A5098D09CD2233D784F6AC228B5927925241689BFF828E573B7A90A5196BFDD7AAEECF00F5C94486AD9E3910CFB07475FCFBB7F0D56
Malicious:	false
Preview:	Google LLC and its affiliates ("Google") own all legal right, title and.interest in and to the content decryption module software ("Software") and.related documentation, including any intellectual property rights in the.Software. You may not use, modify, sell, or otherwise distribute the Software.without a separate license agreement with Google. The Software is not open.source software...If you are interested in licensing the Software, please contact.www.widevine.com.

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1550
Entropy (8bit):	5.9461543350675905
Encrypted:	false
SSDEEP:	48:p/hFkmoyMTI1jglp6NjkakKwk+R2VJAz5s:RhMka5adwTYQz5s
MD5:	98B310FC33843D771DA0089FA155EDB2
SHA1:	5690A43F43673B947EB4C433CB4F5488A287E29C
SHA-256:	28F09A4AF935D2894689CC00658D597257422CAFF20A01055EFD8E78AD5E829F
SHA-512:	E76830974EA54C94E857179CA0DA893E088034367CA5C33E71C1016B788E737D65AB49AD9A9E6FEB85385B963AF5C13DB0A91E3F3072AC91600E91A1CEA0AB6F
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoicjdVVTVDYVZsQ05MTXNoenVpelR6SWlTNkRhR0VUZTFNYVFLRWpLQ0RGayJ9LHsicGF0aCI6Il9wbGF0Zm9ybV9zcGVjaWZpYy93aW5feDY0L3dpZGV2aW5lY2RtLmRsbCIsInJvb3RfaGFzaCI6IjIyaDRkdGc4WEx5b2pnb3h3STdVUWppQTRXZ1ZMSFg1YV9oWVZaTFpBNUEifSx7InBhdGgiOiJfcGxhdGZvcm1fc3BlY2lmaWMvd2luX3g2NC93aWRldmluZWNkbS5kbGwuc2lnIiwicm9vdF9oYXNoIjoiMDJOMUd3N2toUmZhRzFiQmZfelhqZFZfSmJDU3NKaDVabjJ4QXpnSGRpRSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJKYWNDM1ZPSnpIc0hmR3RPQnNINjJiM3FkS25EZEZNNGlZYlFrOEozMkNjIn1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoib2ltb21wZWNhZ25hamRlamdubmppam9iZWJhZWlnZWsiLCJpdGVtX3ZlcnNpb24iOiI0LjEwLjI4MzAuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"KnESAO6ts6E14P0aoVwC_yghkUn7_i9PCMh0NvK44eLJL04dv

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19236784
Entropy (8bit):	7.70214269860876
Encrypted:	false
SSDEEP:	393216:FPRzXYeXFyjsrZuvpYl5SJIhw7PJeP9TZHZMaMq0Vrq8P:DFyjs0pYl1hwDJeVT7erq8P
MD5:	9D76604A452D6FDAD3CDAD64DBDD68A1
SHA1:	DC7E98AD3CF8D7BE84F6B3074158B7196356675B
SHA-256:	EB98FA2CFE142976B33FC3E15CF38A391F079E01CF61A82577B15107A98DEA02
SHA-512:	EDD0C26C0B1323344EB89F315876E9DEB460817FC7C52FAEDADAD34732797DAD0D73906F63F832E7C877A37DB4B2907C071748EDFAD81EA4009685385E9E9137
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: doc_inv_09-12#965.pdf, Detection: malicious, Browse Filename: bot_library.exe, Detection: malicious, Browse Filename: svAsYrT598.exe, Detection: malicious, Browse Filename: kc8qrDHj1V.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbs, Detection: malicious, Browse Filename: t4xSDtqF.posh.ps1, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Gf.........." ......o.........P.l......................................p].....c.%...`A..........................................!.......!...... ]......`[..$...f%..!...0].0:....!.8.....................!.(...`cp.@...........p.!..............................text.....o.......o................. ..`.rdata..x.....o.......o.............@..@.data...pv8...".......".............@....pdata...$...`[..&....#.............@..@.00cfg..0.....\.......$.............@..@.gxfg... (....\......$.............@..@.retplne......\.......%..................rodata.......\.......%............. ..`.tls..........\.......%.............@..._RDATA..\.....]...... %.............@..@malloc_h......]......"%............. ..`.rsrc........ ]......$%.............@..@.reloc..0:...0]..<...%.............@..B................................................................................................

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll.sig

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.572464059652219
Encrypted:	false
SSDEEP:	24:38H/VZn47VBRxgCUQuODHBJeriJ8yojUdnkLvXWgl0oHLrUXAokYH/o8j/bmspTh:38HdurRxHSOlAiqYoXWVDXJ/o8zbmsFh
MD5:	A19EC48B4B28F3AA9C32150DCA8C0E39
SHA1:	02981E40B643C2A987D47BF58F42B7F3CA5AAF07
SHA-256:	D363751B0EE48517DA1B56C17FFCD78DD57F25B092B09879667DB10338077621
SHA-512:	718A24E1FB45AB0FD3DB5A5C45B0E0061D9061D8615E2A8D6DB2150BF72267E96774094A6FC07A250D5BBBC5133A1CB635D8F7ADC5B1751FA99327FCE9555941
Malicious:	false
Preview:	....0...0...........6cd/+J.v{..B...0....H........0}1.0...U....US1.0...U....Washington1.0...U....Kirkland1.0...U....Google1.0...U....Widevine1"0 ..U....widevine-codesign-root-ca0...171013173909Z..271011173909Z0y1.0...U....US1.0...U....Washington1.0...U....Kirkland1.0...U....Google1.0...U....Widevine1.0...U....widevine-vmp-codesign0.."0....H.............0.........2F..8.e..-....$r...{^........0.%.HA...sA"D.q.=6...#.J.N.......&..k;.+...<xF.......B8.)S....o..\|Ci.F.A6....J.......Y..4..{.5u.9N...=...#.M..s.F!j.f%&ld.R...?!Ot@......#.f..O..[.V.p0y....+...S.].....M.=.9...>.. ........>.:....1tl.....`D/c..j..........0..0...U......L...cC.E..R.n...$.0...U.#..0....=..tW....!.B.#U).0...U....0.0...U........0...U.%..0...+.......0...+.....y........0....H.............g.."..[..t{.4~.,.G....4K.....(x$...} ....N..b\|d......h..u6?.L.(&.Oup...$!...4R. 5.-...s...K/..U[..[.+.sAX*.~...^0..ba>;.#....x...b.-1...E..l....S.n.a....)U .q..C>d:...<[..F5...7...[.-.l}.T Lc.X..Qf...z..:.Q..e.m

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.9232676497295262
Encrypted:	false
SSDEEP:	3:SQTWAEVtGbSHaqHGDTzoARPkBDF:SQyANeayyTzTP6
MD5:	5BFBCC6E7AA3E9C1570C5C73F38FA8EA
SHA1:	497BAFA5658C6CE8C8010D12F104EEBEC7A1BAE2
SHA-256:	84470096167EA43C0880B39FE44B42F552014E4F85B66805C2935C542BA3CB8E
SHA-512:	41BBED6CC317FF190189D63D6D5910D30E23A5160E5FF5F635FF408AAB13452DA8174556D7120DB176701435A3329A93A7450583404D56C34A37B67F1A332EDC
Malicious:	false
Preview:	1.567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1001
Entropy (8bit):	4.774546324439748
Encrypted:	false
SSDEEP:	24:ulaihI11X1TRuRckckH3WoA0UNqLQxUNqmTxyNq+TA:C1hYl1uRfckHkseDA
MD5:	2FF237ADBC218A4934A8B361BCD3428E
SHA1:	EFAD279269D9372DCF9C65B8527792E2E9E6CA7D
SHA-256:	25A702DD5389CC7B077C6B4E06C1FAD9BDEA74A9C37453388986D093C277D827
SHA-512:	BAFD91699019AB756ADF13633B825D9D9BAE374CA146E8C05ABC70C931D491D421268A6E6549A8D284782898BC6EB99E3017FBE3A98E09CD3DFECAD19F95E542
Malicious:	false
Preview:	{. "manifest_version": 2,. "update_url": "https://clients2.google.com/service/update2/crx",. "name": "WidevineCdm",. "description": "Widevine Content Decryption Module",. "version": "4.10.2830.0",. "minimum_chrome_version": "68.0.3430.0",. "x-cdm-module-versions": "4",. "x-cdm-interface-versions": "10",. "x-cdm-host-versions": "10",. "x-cdm-codecs": "vp8,vp09,avc1,av01",. "x-cdm-persistent-license-support": true,. "x-cdm-supported-encryption-schemes": [. "cenc",. "cbcs". ],. "icons": {. "16": "imgs/icon-128x128.png",. "128": "imgs/icon-128x128.png". },. "platforms": [. {. "os": "win",. "arch": "x64",. "sub_package_path": "_platform_specific/win_x64/". },. {. "os": "win",. "arch": "x86",. "sub_package_path": "_platform_specific/win_x86/". },. {. "os": "win",. "arch": "arm64",. "sub_package_path": "_platform_specific/win_arm64/". }. ],. "accept_arch": [. "x64",. "x86_64",. "x86_64h". ].

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1796
Entropy (8bit):	6.023059468341497
Encrypted:	false
SSDEEP:	48:p/hpfJI12CpFN697akgTguixC1MWk994aJqki/eYZhUr:RG2Cu7afTUND94aw4gy
MD5:	F5B9C966EB93F7872A3912DF54FB111F
SHA1:	7B1A197F4D759316284BFEC79F30013B7C781D94
SHA-256:	38332E166736E41CE2E5E668C3DE1EEC8467B87D5136C8413E6261C0F8B35ABE
SHA-512:	E2EC83F5146A7FDA8B67BC0731E899C046FE672D570D61364F50A1609E885A7898F4AFED063A78D997823155EEA8FA779DE646EE71D8C1A4B649E9BCC189681F
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJjcl9lbi11c181MDAwMDBfaW5kZXguYmluIiwicm9vdF9oYXNoIjoiMVRocEpLY2hOX1FPNVRzR29fTnVyeVp4ci1EN01KdndLQk9zaUVZekpxZyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJsem9jUFk2dGIyeFdEODBYeThPQkl2MFk3d0NWVWpRSno0eFlLV3RYMVV3In1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoib2JlZGJiaGJwbW9qbmthbmljaW9nZ25tZWxtb29tb2MiLCJpdGVtX3ZlcnNpb24iOiIyMDI0MDkwMi42NzIzNjM3NTYuMTQiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"h7GCxBCNXnJa23jwaXVE8aY5IHTNhOvNo-NOEw_6RPBXAl0-dKBASWSAEiMc_xsz8qscSTW9x0XExLCL0w_nLC02d5-qgSgzH6ShrlYT-okgUXjyZ1mkXC8KG4eY7UA-ZJbi3T84_B93z9hwd5qJ1-ypqEjDpjS66F43GS3neddJf8RQZrqlA3utHJ8SkNykv8FtQr11Smdztwq6gzw_v3Hq94E9qheksB4bSUQJQQG3cM8vy7hiA9lkvSbjHeKwMcSwQAVuLnlsmQQC6854LUrrY-FAptanJKtWJhguWhyu7NyEuTpfR8Hsf3i

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\cr_en-us_500000_index.bin

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	7915327
Entropy (8bit):	6.570635803882568
Encrypted:	false
SSDEEP:	98304:QyIr+F14oHnOFaLct88SXmLiqZ3k5aDyS1WJDjm6J7Yfm7SQ8FWG1mx6Fq:QyRF14BYoSLqZUCyQWNOESQ8S0q
MD5:	96DB58957B26AB466F04A49E564B88E9
SHA1:	8F3A2CEE899435119189804820DA85E488876279
SHA-256:	EC7173FCA63E6AE7185279F7B0977460D3824E1C124DDADEA0C1BF327C93FA76
SHA-512:	C5CA6C0F99C8266C18CEAFFAF69874AE02F3BB1B088E96571A16D2AC6DBFBFA4AA2FBB7959817B629DD63211F43D5CC4E277C32F2DFC26BBA5CC7D684F14F9EF
Malicious:	false
Preview:	......w.....h....a..#..y..1..f#~2..tw7;..r!.I..g.MR..c.)Z..ly.n..e3.w..d..}..i.O...mMB...p.x...bw....uk....sG<...o.....z.?...n.%...k.....vI\|...j.....x.V...1.....q.....55....2.....9w....4.....3CU...7.....6.....8.5...0Ia.....h.....i...*cp.....p.....q...&.u.....v.....v........x...#.y.../.y....W{...$.\|....... ...................-8-tetrahydrocannabinol.i........ to .....-.............. ....... meaning.................^............... ......>........ ......T....E....)e............ meaning.....G...... meaning.....dgar guzm.n l.pez..........<W..(....... meaning.=.........1...... meaning....@Q............ meaningh...........t.... meaning.....#....... ....... . .... ................r eldon...... meaning..... meaning.{..... ..... .......r........2l.... meaning.L.... meaning.C..... .......A........ . .....R..............

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.8210255675168567
Encrypted:	false
SSDEEP:	3:SS1KmDEcdGcEAEE5NoBdBA/BTn:SSFDEc1EpvdBA/ln
MD5:	D2F3C5774D48283F037291454607C3CD
SHA1:	F4BA368313FCDC02C75DE02F2FD3CB5F7A0980F6
SHA-256:	3B8A11F3A749394203849D0FAED36A6FD0695B85B4774FC5476A651D55684825
SHA-512:	A7A85D59DBA1486D463259260136E38843D9255FF8632B582B94A0DF96D6A4E75C77C438E2F871D15FF6831A259785FB19E4AEC300B6C91AA383B7CAE10F5AB4
Malicious:	false
Preview:	1.79a6486379270d1f75affa98c9a93e236afd20fee86adbaadd8d3b9f37aa13c6

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.903151975132155
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifF0AAGAR3CKG/w/VpKS1y9SGZQTLUG:F6VlMT2C7Y/VUS1y1cLUG
MD5:	79C93E2D4FF43CED56BC85DD135A1F7F
SHA1:	BAC80396DD067CDE3E8B35C2569224D9774FE6B5
SHA-256:	973A1C3D8EAD6F6C560FCD17CBC38122FD18EF0095523409CF8C58296B57D54C
SHA-512:	3185C831036E8E47101CD4EED83CF9BC40B27F108648F7C941C724DCA3E9F0A029030F5F60E3D836303DEE140335CFBA11B7ADC59B6AFE57EE90415D1FE9B6CC
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "OnDeviceHeadSuggestENUS500000",. "version": "20240902.672363756.14".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1766
Entropy (8bit):	6.030497654607711
Encrypted:	false
SSDEEP:	48:p/hxgOXVAxJkzkaklZjZxUqwzBl6zPjakzyFtlx:RXZVgaAZj3Vfa1Ft7
MD5:	38237231F3D8ABA6F9BEB4007CFE1ADF
SHA1:	2580CDCE58A501CB324182E5892A2C96EBAE1BA6
SHA-256:	3303AEFA77510330A7F62A1E2117FD09D5E84CFFDD5733EE82AC1099589D98F1
SHA-512:	98DDA280D8E81FA89A200B5311268A5C531529FAB240778C1EEA442FF92507F5708ACD5C21812AF219CB6BE10F0D8EA33349D6E8D23565660987F80B85D92041
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiYkp6d1lVX05hNzJwWU1JMS1jRFhJOEtrMzNPcDkwTTkzeXc1NW5YNFZuTSJ9LHsicGF0aCI6Im9wdGltaXphdGlvbi1oaW50cy5wYiIsInJvb3RfaGFzaCI6InZmbGVfc3drY1M4TGdmMnR2VzQ5V0VXbnNKcmlnYVZKR0JaY2h3dm1mYTAifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJsbWVsZ2xlamhlbWVqZ2lucGJvYWdkZGdkZmJlcGdtcCIsIml0ZW1fdmVyc2lvbiI6IjQ2NSIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"kMgdF8LHS64YcJkyZj91Q2Bhhj-QvuwiRw9roNY2vKON4oRegYI-plbzQG6AZBQL--fgvWFf-oykYGGsFU2nOI78MSSgYCXHuOqzFTIWeTwj9l3NQKOKrZCmO6h0v2GRQ__R3Q9vA3B6XNvNcnIXjDHlw4uyZmC8iL-3EjKFqWvvxWBP0caOvy53DZLNxIeKH9eG7eUXT08Iri2aeXd-FZV8iucKrTohH65Lmljkfgtv7DlDaCNOX3CcTGLQ1_iK817vozDz6PrpmFuGQoZxgLmO9neGm_Ck2_dgdbyrB_BrbAgIEHtPSd15yg49aBZZlh8ktxIpNnJBGWUA62uRQs9q0

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.754504968644688
Encrypted:	false
SSDEEP:	3:SXBQEUsA56heHcGsuXn:SRQ0XGsqn
MD5:	1B038A33EF4D9C6B6E232651139EF892
SHA1:	FB35B25BDE78739B84810E815E7C909ED8FDE9D2
SHA-256:	66EF8DD7A18DBBC7F66935A45CF18FC39B56FEB1E1556965AF25EC94006F4C38
SHA-512:	0DB90483835D0723E934F4E70936DEE9398FDC345FE174474843BBEC2EBB9A8A7FDDE913DF8FF72FF090B799A19300C2918E07652A5EB7E28E503168FEEB0595
Malicious:	false
Preview:	1.2d55223896a8d536d9426fee9d9d3903a4489b9c9d4e431c3c8d1d2e4371e8d3

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.481149880283266
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFzIe4/+S1Iv5HcDKhtH8tAn:F6VlMQ/+S1S5SKH8tAn
MD5:	CD4C0963DC7207A1B934E4E095E9FC6B
SHA1:	7B4C264E61B558C3FE033A713C1C7040B8423E67
SHA-256:	6C9CF0614FCD6BBDA960C235F9C0D723C2A4DF73A9F7433DDF2C39E675F85673
SHA-512:	2F23CB68693488227078CA7F81C61B1FCEC839D26135D5C0EF69634E59A14837D782B692B0D53267B2B047F68B8067E44684CC66D808199ADCFE03CAB50977CA
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "Optimization Hints",. "version": "465",. "ruleset_format": "1.0.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\optimization-hints.pb

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	53154
Entropy (8bit):	7.976143136154575
Encrypted:	false
SSDEEP:	1536:/zehGBKxdYm83YG3iHb8fZANCdX4Sjsx4k/:x0xW3YG3i78fZk67jseW
MD5:	731EBD007479AD8C05A2E2C02B7C4732
SHA1:	40B18D9A6F9B6D8AB076543AA2CFEF313FF5901B
SHA-256:	A83FE182ACB5863196783D792AAFC0F4C60A00931D64C2044D477939FC9FAFC0
SHA-512:	3D3F6DABBB08622ACDB69751BD8B308DD9146E2755430C4F0763C1886E472F8832B888553430E699F68A7B278DA34CAF2957591AFD4B6F23667D9A20172D8F5B
Malicious:	false
Preview:	............I.....g2.I..jI..n).+..)...h.+.A7p..q.:S4.Z...O.. R..\|....Da.e.?..W.-..ni2.....[.....6%8....x..y".b.Y7^.n......%/...f..c../.CY....j..\|].b..+.f..].{S.s..J...\|..nn..G..jb).Mn..../....R%.Fm.....K.....&.n.P.]..M.q:E..#^..O.....+...%\|{....5d..............=....X......._...OS1...+.q...7..vzf.....(....iVp....7..."QA.k`......Q...Y../X4..`...<+.@.U...m .'.X6...-.aD....<..w..7bv.e......<~.J.d...i..7..o}x_...B.T....V.et....u.{/.....p6.....t.Y(a.E......t.....P..45.a...!B-......B.RY#H....E....%...I..a.....$...T....7;...y..`.l.p..kv..`..q]...z.9rX...Rb..Q.N..../.>....p.ah.........z.\.Y}2W..o.?..-6=y...2[:..t7(t)....^.H...cl"]F."..@'h....t..s..Pf..SA.yCs....IuT..=.6...{...X....,...}.....ddE.2............YU..HQ..h.i.v...;..b....}.]K..../O.....]S~.l.H...........&....~m....3..l.l*RN"..k..1f.x.$..n...P-..](.Z./.........9...WJ\. /.B.Q....h.R...e.............Fg]...........?.Z..iH.Kyxc.e.P...H.....1N.Ac.;.4..he..b.V.w..'.....Z...K.4......p...2..9.s.."

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\Google.Widevine.CDM.dll

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2877728
Entropy (8bit):	6.868480682648069
Encrypted:	false
SSDEEP:	49152:GB6BoH5sOI2CHusbKOdskuoHHVjcY94RNETO2WYA4oPToqnQ3dK5zuqvGKGxofFo:M67hlnVjcYGRNETO2WYA4oLoqnJuZI5
MD5:	477C17B6448695110B4D227664AA3C48
SHA1:	949FF1136E0971A0176F6ADEA8ADCC0DD6030F22
SHA-256:	CB190E7D1B002A3050705580DD51EBA895A19EB09620BDD48D63085D5D88031E
SHA-512:	1E267B01A78BE40E7A02612B331B1D9291DA8E4330DEA10BF786ACBC69F25E0BAECE45FB3BAFE1F4389F420EBAA62373E4F035A45E34EADA6F72C7C61D2302ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Play_VM-Now(Securustechnologies)CLQD.html, Detection: malicious, Browse Filename: doc_inv_09-12#965.pdf, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: choihoon5494-attachmnt.shtml, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....fd.........." ......(..........A&.......................................,.......,...`A.........................................V......V......`,......`+..p....+. )...p,......D.8....................C.(.....(.8...........p\..............................text.....(.......(................. ..`.rdata..h.....(.......(.............@..@.data....l......&.................@....pdata...p...`+..r.................@..@.00cfg..(.....+......p+.............@..@.gxfg....$....+..&...r+.............@..@.retplnel.... ,.......+..................tls.........0,.......+.............@....voltbl.D....@,.......+................._RDATA.......P,.......+.............@..@.rsrc........`,.......+.............@..@.reloc.......p,.......+.............@..B........................................................................................................................................

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1778
Entropy (8bit):	6.02086725086136
Encrypted:	false
SSDEEP:	48:p/hCdQAdJjRkakCi0LXjX9mqjW6JmfQkNWQzXXf2gTs:RtQ1aaxXrjW6JuQEWQKas
MD5:	3E839BA4DA1FFCE29A543C5756A19BDF
SHA1:	D8D84AC06C3BA27CCEF221C6F188042B741D2B91
SHA-256:	43DAA4139D3ED90F4B4635BD4D32346EB8E8528D0D5332052FCDA8F7860DB729
SHA-512:	19B085A9CFEC4D6F1B87CC6BBEEB6578F9CBA014704D05C9114CFB0A33B2E7729AC67499048CB33823C884517CBBDC24AA0748A9BB65E9C67714E6116365F1AB
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJHb29nbGUuV2lkZXZpbmUuQ0RNLmRsbCIsInJvb3RfaGFzaCI6Im9ZZjVLQ2Z1ai1MYmdLYkQyWFdBS1E5Nkp1bTR1Q2dCZTRVeEpGSExSNWMifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiYk01YTJOU1d2RkY1LW9Tdml2eFdqdXVwZ05pblVGakdPQXRrLTBJcGpDZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6Im5laWZhb2luZGdnZmNqaWNmZmtncG1ubHBwZWZmYWJkIiwiaXRlbV92ZXJzaW9uIjoiMS4wLjI3MzguMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"KTPeHzS0ybFaz3_br3ASYWHjb6Ctul92067u2JMwtNYYm-4KxLiSkJZNBIzhm6hNSEW2p5kUEvHD0TjhhFGCZnWm9titj2bqJayCOAGxZb5BO74JJCRfy5Kwr1KSS4nvocsZepnHBmCiG2OV3by-Lyf1h1uU3X3bDfD92O0vJzrA8rwL2LrwIk-BolLo5nlM0I_MZwg8DhZ8SFBu9GGRVB2XrailDrv4SgupFE9gqA1HY6kjRjoyoAHbRRxZdBNNt9IKNdxNyaF9NcNRY8dAedNQ9Tw3YNp5jB7R9lcjO4knn58RdH2h_GiJ4l96StcXA4e7cqbJ77P-c

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.974403644129192
Encrypted:	false
SSDEEP:	3:SLVV8T+WSq2ykFDJp9qBn:SLVqZS5p0B
MD5:	D30A5BBC00F7334EEDE0795D147B2E80
SHA1:	78F3A6995856854CAD0C524884F74E182F9C3C57
SHA-256:	A08C1BC41DE319392676C7389048D8B1C7424C4B74D2F6466BCF5732B8D86642
SHA-512:	DACF60E959C10A3499D55DC594454858343BF6A309F22D73BDEE86B676D8D0CED10E86AC95ECD78E745E8805237121A25830301680BD12BFC7122A82A885FF4B
Malicious:	false
Preview:	1.c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.595307058143632
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFooG+HhFFKS18CWjhXLXGPQ3TRpvF/FHddTcplFHddTcVYA:F6VlM5PpKS18hRIA
MD5:	BBC03E9C7C5944E62EFC9C660B7BD2B6
SHA1:	83F161E3F49B64553709994B048D9F597CDE3DC6
SHA-256:	6CCE5AD8D496BC5179FA84AF8AFC568EEBA980D8A75058C6380B64FB42298C28
SHA-512:	FB80F091468A299B5209ACC30EDAF2001D081C22C3B30AAD422CBE6FEA7E5FE36A67A8E000D5DD03A30C60C30391C85FA31F3931E804C351AB0A71E9A978CC0F
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "windows-mf-cdm",. "version": "1.0.2738.0",. "accept_arch": [. "x64",. "x86_64",. "x86_64h". ].}

Chrome Cache Entry: 112

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	288
Entropy (8bit):	5.119280529475943
Encrypted:	false
SSDEEP:	6:5m8n0+DyDBqW23NMjshdiTadMjs9i1a0QIjpVBVWRU4XKfXJjCJqoA:4E0+8jmd4j6ifQIlFWRcJjCa
MD5:	EF220A553813ACC9EDE80405DF3B7FD7
SHA1:	382FCF28D5B5ACE81E818FA5A2F9C6D54EEC179B
SHA-256:	D3CFFE9F37702E95B3702696987F93AB39922A033E06610275A82A7AAE14C96A
SHA-512:	4334271F300EFA4E666B21D00858278970545987DA778E7C25ECB8553D9157847768597A1B645B82914C7EF72DC6187513772C6E8CFB8D027331666087845F60
Malicious:	false
URL:	https://medconsol.com/favicon.ico
Preview:	.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML><HEAD>.<TITLE> 508 Resource Limit Is Reached</TITLE>.</HEAD><BODY>.<H1>Resource Limit Is Reached</H1>.The website is temporarily unable to service your request as it exceeded resource limit..Please try again later..</BODY></HTML>.

Chrome Cache Entry: 113

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	very short file (no magic)
Category:	downloaded
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:v:v
MD5:	68B329DA9893E34099C7D8AD5CB9C940
SHA1:	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
SHA-256:	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
SHA-512:	BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
Malicious:	false
URL:	https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg=
Preview:	.

Static File Info

General

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	4.480035007887159
TrID:
File name:	ACH Payment Details_(Dcorbett)CQDM.html
File size:	5'065 bytes
MD5:	7978ed6fd79314c9a4de374eb890e35c
SHA1:	72aea05b419b6a3f1edb28c1204a12fac7e44dad
SHA256:	9a4a5655f0ea0a9c3660636ddd73b2006d2e122a19cb2062fd5789ea07be3f67
SHA512:	fd6548e49a532a835f0addbecbfff5b1d5808dfe28606e8881751156dab233cba842b908d4ac675236b42463f90825d1e631a13558fad333d223dda2acaf1ef5
SSDEEP:	96:JWlUmxeY5HcIZZKOUGHlaaUrbEkbNVBPmhCY4/ousuaRu7uhveu:J4UM8WZhFTYP5PP6fd
TLSH:	A6A1BC2474F4256742B7C0DC8628AB5AFED1820BCA1BA50672FD77D70FF7D419923920
File Content Preview:	<body style="display:none;">.. <div class="container-xxl position-relative p-0">.. <nav class="navbar navbar-expand-lg navbar-light px-4 px-lg-5 py-3 py-lg-0">.. <a dtsy="" class="navbar-brand p-0">.. <h1 class="m-0"><i

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 171
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 17, 2024 20:25:44.489872932 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:44.489914894 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:44.489979982 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:44.492240906 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:44.492258072 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.006591082 CEST	49674	443	192.168.2.6	173.222.162.64
Sep 17, 2024 20:25:45.006591082 CEST	49673	443	192.168.2.6	173.222.162.64
Sep 17, 2024 20:25:45.099349976 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.099422932 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:45.105686903 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:45.105700970 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.106079102 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.108949900 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:45.109067917 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:45.109072924 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.109189987 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:45.155407906 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.217232943 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.217344999 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.217408895 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:45.217897892 CEST	49711	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:45.217915058 CEST	443	49711	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:45.270433903 CEST	49672	443	192.168.2.6	173.222.162.64
Sep 17, 2024 20:25:45.874245882 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:45.874304056 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:45.874368906 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:45.874689102 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:45.874700069 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:45.874713898 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:45.874752045 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:45.874805927 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:45.875108004 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:45.875122070 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.847575903 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.857589960 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.886132956 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:46.886147022 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.886599064 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:46.886619091 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.887759924 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.887819052 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:46.888102055 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.888154030 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:46.900592089 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:46.900686979 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.900701046 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:46.900799036 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:46.900860071 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:46.900870085 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:47.008630037 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:47.008634090 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:47.008672953 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:47.042972088 CEST	443	49701	173.222.162.64	192.168.2.6
Sep 17, 2024 20:25:47.043068886 CEST	49701	443	192.168.2.6	173.222.162.64
Sep 17, 2024 20:25:47.119169950 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:47.119278908 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:47.119343996 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:47.120081902 CEST	49716	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:47.120101929 CEST	443	49716	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:47.166146040 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:47.207416058 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:50.091836929 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:25:50.091871023 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:25:50.091934919 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:25:50.092346907 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:25:50.092356920 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:25:50.772074938 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:50.772145987 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:50.772237062 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:50.775161982 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:50.775183916 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:50.786619902 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:25:50.787010908 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:25:50.787030935 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:25:50.788656950 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:25:50.788722992 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:25:50.790096045 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:25:50.790184975 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:25:50.832602978 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:25:50.832623005 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:25:50.879498959 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:25:51.554827929 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:51.554913044 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:51.594459057 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:51.594497919 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:51.594770908 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:51.645884991 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:51.902026892 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:51.943399906 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:52.420773983 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:52.420850039 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:52.420902014 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:52.449830055 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:52.449856997 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:52.449867964 CEST	49724	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:52.449873924 CEST	443	49724	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:52.519184113 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:52.519217968 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:52.519328117 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:52.520054102 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:52.520066977 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:52.681588888 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:52.681652069 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:52.681721926 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:52.682420015 CEST	49715	443	192.168.2.6	95.217.116.67
Sep 17, 2024 20:25:52.682436943 CEST	443	49715	95.217.116.67	192.168.2.6
Sep 17, 2024 20:25:52.798212051 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:52.798269987 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:52.798355103 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:52.798933983 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:52.798953056 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.332926035 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:53.333045006 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:53.378437996 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:53.378464937 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:53.379364967 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:53.380970001 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:53.405833960 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.405910969 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:53.407761097 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:53.407769918 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.408263922 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.410553932 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:53.410619020 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:53.410624981 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.410754919 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:53.423408031 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:53.451416969 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.520298004 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.520442009 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.520504951 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:53.520730972 CEST	49726	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:25:53.520749092 CEST	443	49726	20.7.2.167	192.168.2.6
Sep 17, 2024 20:25:53.613842964 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:53.614020109 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:53.614073038 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:53.636866093 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:53.636881113 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:53.636888981 CEST	49725	443	192.168.2.6	184.28.90.27
Sep 17, 2024 20:25:53.636894941 CEST	443	49725	184.28.90.27	192.168.2.6
Sep 17, 2024 20:25:55.451163054 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:55.451189041 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:55.451277018 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:55.453118086 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:55.453138113 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.516072035 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.516144037 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.519974947 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.519980907 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.520330906 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.567656994 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.606416941 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.651391029 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840010881 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840042114 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840054035 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840063095 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840127945 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.840147018 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840156078 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840213060 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.840465069 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840547085 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.840553045 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840682030 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.840732098 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.855082035 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.855108023 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:25:56.855130911 CEST	49730	443	192.168.2.6	13.85.23.86
Sep 17, 2024 20:25:56.855138063 CEST	443	49730	13.85.23.86	192.168.2.6
Sep 17, 2024 20:26:00.683119059 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:00.683207035 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:00.683337927 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:26:02.023379087 CEST	49722	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:26:02.023410082 CEST	443	49722	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:05.553184986 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:05.553232908 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:05.553293943 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:05.554681063 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:05.554701090 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:06.169198990 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:06.169307947 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:06.182076931 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:06.182096958 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:06.182416916 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:06.186639071 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:06.186995983 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:06.187001944 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:06.187263966 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:06.227399111 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:06.349410057 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:06.349615097 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:06.349674940 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:06.349880934 CEST	49737	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:06.349900007 CEST	443	49737	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:25.937079906 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:25.937141895 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:25.937635899 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:25.938555956 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:25.938570976 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:26.520703077 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:26.520812988 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:26.523627996 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:26.523642063 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:26.523893118 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:26.526220083 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:26.526278973 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:26.526284933 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:26.526463032 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:26.571412086 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:26.631962061 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:26.632169962 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:26.632263899 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:26.655985117 CEST	49738	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:26.656019926 CEST	443	49738	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:33.213332891 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:33.213380098 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:33.213457108 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:33.213973045 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:33.213985920 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:33.974044085 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:33.974126101 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:33.978193045 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:33.978203058 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:33.978463888 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:33.996021032 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.039412022 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612027884 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612080097 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612119913 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612145901 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.612165928 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612190008 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.612221003 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.612277985 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612364054 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612390041 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.612395048 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612412930 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.612524033 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.612586975 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.628705978 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.628722906 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:34.628734112 CEST	49739	443	192.168.2.6	40.127.169.103
Sep 17, 2024 20:26:34.628739119 CEST	443	49739	40.127.169.103	192.168.2.6
Sep 17, 2024 20:26:47.639024019 CEST	51974	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:26:47.643817902 CEST	53	51974	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:47.643893957 CEST	51974	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:26:47.643938065 CEST	51974	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:26:47.648689032 CEST	53	51974	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:48.097446918 CEST	53	51974	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:48.098215103 CEST	51974	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:26:48.103400946 CEST	53	51974	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:48.103454113 CEST	51974	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:26:50.086127043 CEST	51976	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:26:50.086194038 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:50.086266994 CEST	51976	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:26:50.087357044 CEST	51976	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:26:50.087380886 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:50.759896040 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:50.760265112 CEST	51976	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:26:50.760298967 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:50.761369944 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:50.761991978 CEST	51976	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:26:50.762079954 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:26:50.802588940 CEST	51976	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:26:54.126816988 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.126863003 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.126988888 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.127737999 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.127753019 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.793164968 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.793287992 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.796318054 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.796329975 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.796535969 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.799139977 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.799209118 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.799216032 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.799494028 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.847402096 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.905020952 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.905967951 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.906048059 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.906631947 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:26:54.906650066 CEST	443	51977	20.7.2.167	192.168.2.6
Sep 17, 2024 20:26:54.906660080 CEST	51977	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:00.656692982 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:27:00.656773090 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:27:00.656826973 CEST	51976	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:27:02.025027990 CEST	51976	443	192.168.2.6	142.250.185.228
Sep 17, 2024 20:27:02.025069952 CEST	443	51976	142.250.185.228	192.168.2.6
Sep 17, 2024 20:27:16.631014109 CEST	49703	80	192.168.2.6	199.232.214.172
Sep 17, 2024 20:27:16.943363905 CEST	49703	80	192.168.2.6	199.232.214.172
Sep 17, 2024 20:27:17.489130974 CEST	80	49703	199.232.214.172	192.168.2.6
Sep 17, 2024 20:27:17.491643906 CEST	80	49703	199.232.214.172	192.168.2.6
Sep 17, 2024 20:27:17.491750956 CEST	49703	80	192.168.2.6	199.232.214.172
Sep 17, 2024 20:27:28.498991013 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:28.499033928 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:28.499110937 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:28.499679089 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:28.499691963 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:29.112567902 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:29.112632990 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:29.115696907 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:29.115706921 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:29.115909100 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:29.121973991 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:29.122114897 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:29.122119904 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:29.122308969 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:29.163441896 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:29.237617970 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:29.237848043 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:27:29.237935066 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:29.248342037 CEST	51980	443	192.168.2.6	20.7.2.167
Sep 17, 2024 20:27:29.248358965 CEST	443	51980	20.7.2.167	192.168.2.6
Sep 17, 2024 20:28:23.313199997 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:23.313258886 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:23.313344002 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:23.314174891 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:23.314188004 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:24.885279894 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:24.885370970 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:24.890723944 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:24.890741110 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:24.891084909 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:24.896435022 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:24.896684885 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:24.896698952 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:24.896878004 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:24.939429998 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:25.091156960 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:25.091351986 CEST	443	51985	40.113.103.199	192.168.2.6
Sep 17, 2024 20:28:25.091454029 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:25.091957092 CEST	51985	443	192.168.2.6	40.113.103.199
Sep 17, 2024 20:28:25.092005968 CEST	443	51985	40.113.103.199	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 17, 2024 20:25:45.682307959 CEST	53	60893	1.1.1.1	192.168.2.6
Sep 17, 2024 20:25:45.743061066 CEST	53	57952	1.1.1.1	192.168.2.6
Sep 17, 2024 20:25:45.862036943 CEST	60308	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:25:45.862186909 CEST	50334	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:25:45.870279074 CEST	53	60308	1.1.1.1	192.168.2.6
Sep 17, 2024 20:25:45.873637915 CEST	53	50334	1.1.1.1	192.168.2.6
Sep 17, 2024 20:25:46.953346014 CEST	53	62968	1.1.1.1	192.168.2.6
Sep 17, 2024 20:25:50.046876907 CEST	58227	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:25:50.047110081 CEST	52591	53	192.168.2.6	1.1.1.1
Sep 17, 2024 20:25:50.052923918 CEST	53	52803	1.1.1.1	192.168.2.6
Sep 17, 2024 20:25:50.053931952 CEST	53	58227	1.1.1.1	192.168.2.6
Sep 17, 2024 20:25:50.054493904 CEST	53	52591	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:04.024183035 CEST	53	57197	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:23.226488113 CEST	53	51578	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:45.586270094 CEST	53	53709	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:45.586297989 CEST	53	60322	1.1.1.1	192.168.2.6
Sep 17, 2024 20:26:47.638242006 CEST	53	52866	1.1.1.1	192.168.2.6
Sep 17, 2024 20:27:16.420397043 CEST	53	56115	1.1.1.1	192.168.2.6
Sep 17, 2024 20:27:52.185655117 CEST	53	58729	1.1.1.1	192.168.2.6
Sep 17, 2024 20:28:03.537210941 CEST	53	52443	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 17, 2024 20:25:45.862036943 CEST	192.168.2.6	1.1.1.1	0x5e59	Standard query (0)	medconsol.com	A (IP address)	IN (0x0001)	false
Sep 17, 2024 20:25:45.862186909 CEST	192.168.2.6	1.1.1.1	0xbe49	Standard query (0)	medconsol.com	65	IN (0x0001)	false
Sep 17, 2024 20:25:50.046876907 CEST	192.168.2.6	1.1.1.1	0x3864	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 17, 2024 20:25:50.047110081 CEST	192.168.2.6	1.1.1.1	0xca8f	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 17, 2024 20:25:45.870279074 CEST	1.1.1.1	192.168.2.6	0x5e59	No error (0)	medconsol.com	95.217.116.67	A (IP address)	IN (0x0001)	false
Sep 17, 2024 20:25:50.053931952 CEST	1.1.1.1	192.168.2.6	0x3864	No error (0)	www.google.com	142.250.185.228	A (IP address)	IN (0x0001)	false
Sep 17, 2024 20:25:50.054493904 CEST	1.1.1.1	192.168.2.6	0xca8f	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

medconsol.com

https:

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49711	20.7.2.167	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:25:45 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6f 4d 79 6d 38 4f 30 4d 31 30 4f 52 65 7a 4f 37 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 36 61 64 63 31 33 35 33 64 61 65 31 66 64 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: oMym8O0M10ORezO7.1Context: 56adc1353dae1fdb
2024-09-17 18:25:45 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-17 18:25:45 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6f 4d 79 6d 38 4f 30 4d 31 30 4f 52 65 7a 4f 37 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 36 61 64 63 31 33 35 33 64 61 65 31 66 64 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 42 31 56 50 33 53 41 32 67 57 65 64 2f 48 78 64 47 6a 39 7a 33 56 7a 5a 56 45 4b 55 71 77 76 46 47 50 2f 49 46 31 43 30 46 2b 61 75 63 5a 64 38 43 34 42 62 5a 33 51 55 5a 58 70 78 39 7a 52 74 35 2f 59 6a 69 50 4e 31 64 74 64 31 41 47 44 39 55 32 33 75 6c 30 68 4b 79 53 33 77 73 71 36 51 56 74 39 77 35 6e 72 30 53 5a 37 68 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: oMym8O0M10ORezO7.2Context: 56adc1353dae1fdb<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdB1VP3SA2gWed/HxdGj9z3VzZVEKUqwvFGP/IF1C0F+aucZd8C4BbZ3QUZXpx9zRt5/YjiPN1dtd1AGD9U23ul0hKyS3wsq6QVt9w5nr0SZ7h
2024-09-17 18:25:45 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6f 4d 79 6d 38 4f 30 4d 31 30 4f 52 65 7a 4f 37 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 36 61 64 63 31 33 35 33 64 61 65 31 66 64 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: oMym8O0M10ORezO7.3Context: 56adc1353dae1fdb<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-17 18:25:45 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-17 18:25:45 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 49 70 57 41 46 2f 62 71 55 55 53 6a 6f 4e 73 31 4a 68 6d 39 6e 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: IpWAF/bqUUSjoNs1Jhm9nA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49716	95.217.116.67	443	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:25:46 UTC	717	OUT	GET /o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg= HTTP/1.1 Host: medconsol.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-17 18:25:47 UTC	320	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Sep 2024 18:25:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Nginx-Upstream-Cache-Status: UPDATING X-Server-Powered-By: Engintron
2024-09-17 18:25:47 UTC	11	IN	Data Raw: 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49715	95.217.116.67	443	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:25:47 UTC	657	OUT	GET /favicon.ico HTTP/1.1 Host: medconsol.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://medconsol.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUyZGlha0k9JnVpZD1VU0VSMTcwOTIwMjRVMjEwOTE3NDg= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-17 18:25:52 UTC	233	IN	HTTP/1.1 508 Loop Detected Server: nginx Date: Tue, 17 Sep 2024 18:25:52 GMT Content-Type: text/html Content-Length: 288 Connection: close Retry-After: 14400 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff
2024-09-17 18:25:52 UTC	288	IN	Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 20 35 30 38 20 52 65 73 6f 75 72 63 65 20 4c 69 6d 69 74 20 49 73 20 52 65 61 63 68 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 52 65 73 6f 75 72 63 65 20 4c 69 6d 69 74 20 49 73 20 52 65 61 63 68 65 64 3c 2f 48 31 3e 0a 54 68 65 20 77 65 62 73 69 74 65 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 20 72 65 71 75 65 73 74 20 61 73 20 69 74 20 65 78 63 65 65 64 65 64 20 72 65 73 6f 75 72 63 65 20 6c 69 6d 69 74 2e 0a 50 6c 65 61 73 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE> 508 Resource Limit Is Reached</TITLE></HEAD><BODY><H1>Resource Limit Is Reached</H1>The website is temporarily unable to service your request as it exceeded resource limit.Please

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49724	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:25:51 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-17 18:25:52 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF70) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=80389 Date: Tue, 17 Sep 2024 18:25:51 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49725	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:25:53 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-17 18:25:53 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=80325 Date: Tue, 17 Sep 2024 18:25:53 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-17 18:25:53 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	49726	20.7.2.167	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:25:53 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6a 53 6e 57 34 69 51 73 47 45 47 37 59 66 48 75 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 38 64 31 33 37 66 33 63 36 65 65 34 64 32 37 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: jSnW4iQsGEG7YfHu.1Context: 58d137f3c6ee4d27
2024-09-17 18:25:53 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-17 18:25:53 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6a 53 6e 57 34 69 51 73 47 45 47 37 59 66 48 75 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 38 64 31 33 37 66 33 63 36 65 65 34 64 32 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 42 31 56 50 33 53 41 32 67 57 65 64 2f 48 78 64 47 6a 39 7a 33 56 7a 5a 56 45 4b 55 71 77 76 46 47 50 2f 49 46 31 43 30 46 2b 61 75 63 5a 64 38 43 34 42 62 5a 33 51 55 5a 58 70 78 39 7a 52 74 35 2f 59 6a 69 50 4e 31 64 74 64 31 41 47 44 39 55 32 33 75 6c 30 68 4b 79 53 33 77 73 71 36 51 56 74 39 77 35 6e 72 30 53 5a 37 68 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: jSnW4iQsGEG7YfHu.2Context: 58d137f3c6ee4d27<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdB1VP3SA2gWed/HxdGj9z3VzZVEKUqwvFGP/IF1C0F+aucZd8C4BbZ3QUZXpx9zRt5/YjiPN1dtd1AGD9U23ul0hKyS3wsq6QVt9w5nr0SZ7h
2024-09-17 18:25:53 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6a 53 6e 57 34 69 51 73 47 45 47 37 59 66 48 75 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 38 64 31 33 37 66 33 63 36 65 65 34 64 32 37 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: jSnW4iQsGEG7YfHu.3Context: 58d137f3c6ee4d27<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-17 18:25:53 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-17 18:25:53 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 69 53 59 51 44 38 71 66 69 45 71 72 6f 67 61 6e 4a 43 74 34 58 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: iSYQD8qfiEqroganJCt4Xg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49730	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:25:56 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gK+YWdsELcLhrVY&MD=7StHGpxG HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-17 18:25:56 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 0440ac11-cb46-409d-b131-cb6fcc846f87 MS-RequestId: 4f57b533-5390-41c1-8b6d-4751219d88a1 MS-CV: fMkeYFaMckGJCtN0.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 17 Sep 2024 18:25:55 GMT Connection: close Content-Length: 24490
2024-09-17 18:25:56 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-17 18:25:56 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.6	49737	20.7.2.167	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:26:06 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 37 77 75 37 55 39 36 58 69 45 6d 65 65 74 43 49 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 36 30 64 38 64 35 37 61 62 64 37 65 30 34 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 7wu7U96XiEmeetCI.1Context: 160d8d57abd7e04e
2024-09-17 18:26:06 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-17 18:26:06 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 37 77 75 37 55 39 36 58 69 45 6d 65 65 74 43 49 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 36 30 64 38 64 35 37 61 62 64 37 65 30 34 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 42 31 56 50 33 53 41 32 67 57 65 64 2f 48 78 64 47 6a 39 7a 33 56 7a 5a 56 45 4b 55 71 77 76 46 47 50 2f 49 46 31 43 30 46 2b 61 75 63 5a 64 38 43 34 42 62 5a 33 51 55 5a 58 70 78 39 7a 52 74 35 2f 59 6a 69 50 4e 31 64 74 64 31 41 47 44 39 55 32 33 75 6c 30 68 4b 79 53 33 77 73 71 36 51 56 74 39 77 35 6e 72 30 53 5a 37 68 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 7wu7U96XiEmeetCI.2Context: 160d8d57abd7e04e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdB1VP3SA2gWed/HxdGj9z3VzZVEKUqwvFGP/IF1C0F+aucZd8C4BbZ3QUZXpx9zRt5/YjiPN1dtd1AGD9U23ul0hKyS3wsq6QVt9w5nr0SZ7h
2024-09-17 18:26:06 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 37 77 75 37 55 39 36 58 69 45 6d 65 65 74 43 49 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 36 30 64 38 64 35 37 61 62 64 37 65 30 34 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 7wu7U96XiEmeetCI.3Context: 160d8d57abd7e04e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-17 18:26:06 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-17 18:26:06 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 77 2f 6b 64 44 2b 62 7a 57 6b 43 59 41 5a 75 77 67 49 6c 45 38 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: w/kdD+bzWkCYAZuwgIlE8g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.6	49738	20.7.2.167	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:26:26 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 71 4e 65 4e 41 66 33 4e 4e 45 79 37 76 43 78 54 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 62 35 64 61 63 62 64 35 39 33 38 39 61 66 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: qNeNAf3NNEy7vCxT.1Context: 3b5dacbd59389afe
2024-09-17 18:26:26 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-17 18:26:26 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 71 4e 65 4e 41 66 33 4e 4e 45 79 37 76 43 78 54 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 62 35 64 61 63 62 64 35 39 33 38 39 61 66 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 42 31 56 50 33 53 41 32 67 57 65 64 2f 48 78 64 47 6a 39 7a 33 56 7a 5a 56 45 4b 55 71 77 76 46 47 50 2f 49 46 31 43 30 46 2b 61 75 63 5a 64 38 43 34 42 62 5a 33 51 55 5a 58 70 78 39 7a 52 74 35 2f 59 6a 69 50 4e 31 64 74 64 31 41 47 44 39 55 32 33 75 6c 30 68 4b 79 53 33 77 73 71 36 51 56 74 39 77 35 6e 72 30 53 5a 37 68 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: qNeNAf3NNEy7vCxT.2Context: 3b5dacbd59389afe<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdB1VP3SA2gWed/HxdGj9z3VzZVEKUqwvFGP/IF1C0F+aucZd8C4BbZ3QUZXpx9zRt5/YjiPN1dtd1AGD9U23ul0hKyS3wsq6QVt9w5nr0SZ7h
2024-09-17 18:26:26 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 71 4e 65 4e 41 66 33 4e 4e 45 79 37 76 43 78 54 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 62 35 64 61 63 62 64 35 39 33 38 39 61 66 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: qNeNAf3NNEy7vCxT.3Context: 3b5dacbd59389afe<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-17 18:26:26 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-17 18:26:26 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 62 76 41 4a 37 6c 71 2b 32 30 57 6b 67 63 30 38 71 4e 39 64 74 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: bvAJ7lq+20Wkgc08qN9dtw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49739	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:26:33 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gK+YWdsELcLhrVY&MD=7StHGpxG HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-17 18:26:34 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 30c33c1e-501a-4788-a2da-15790537b5f0 MS-RequestId: a91ce083-28f1-4910-b722-0c1ab9fbd87c MS-CV: lbMHueGKMEemW8A4.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 17 Sep 2024 18:26:33 GMT Connection: close Content-Length: 30005
2024-09-17 18:26:34 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-17 18:26:34 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.6	51977	20.7.2.167	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:26:54 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4b 4d 4b 5a 48 52 39 63 64 45 75 48 6e 4f 4b 6a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 31 62 38 64 34 36 65 33 63 30 33 36 62 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: KMKZHR9cdEuHnOKj.1Context: 351b8d46e3c036b3
2024-09-17 18:26:54 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-17 18:26:54 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4b 4d 4b 5a 48 52 39 63 64 45 75 48 6e 4f 4b 6a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 31 62 38 64 34 36 65 33 63 30 33 36 62 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 42 31 56 50 33 53 41 32 67 57 65 64 2f 48 78 64 47 6a 39 7a 33 56 7a 5a 56 45 4b 55 71 77 76 46 47 50 2f 49 46 31 43 30 46 2b 61 75 63 5a 64 38 43 34 42 62 5a 33 51 55 5a 58 70 78 39 7a 52 74 35 2f 59 6a 69 50 4e 31 64 74 64 31 41 47 44 39 55 32 33 75 6c 30 68 4b 79 53 33 77 73 71 36 51 56 74 39 77 35 6e 72 30 53 5a 37 68 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: KMKZHR9cdEuHnOKj.2Context: 351b8d46e3c036b3<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdB1VP3SA2gWed/HxdGj9z3VzZVEKUqwvFGP/IF1C0F+aucZd8C4BbZ3QUZXpx9zRt5/YjiPN1dtd1AGD9U23ul0hKyS3wsq6QVt9w5nr0SZ7h
2024-09-17 18:26:54 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4b 4d 4b 5a 48 52 39 63 64 45 75 48 6e 4f 4b 6a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 31 62 38 64 34 36 65 33 63 30 33 36 62 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: KMKZHR9cdEuHnOKj.3Context: 351b8d46e3c036b3<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-17 18:26:54 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-17 18:26:54 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 65 78 30 6d 5a 32 46 63 53 6b 61 72 62 50 65 36 2f 35 68 38 50 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: ex0mZ2FcSkarbPe6/5h8PA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.6	51980	20.7.2.167	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:27:29 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 38 50 4a 70 73 66 78 59 57 30 2b 73 68 43 53 4d 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 61 39 65 65 35 34 61 61 65 61 62 65 32 32 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 8PJpsfxYW0+shCSM.1Context: 7a9ee54aaeabe223
2024-09-17 18:27:29 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-17 18:27:29 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 38 50 4a 70 73 66 78 59 57 30 2b 73 68 43 53 4d 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 61 39 65 65 35 34 61 61 65 61 62 65 32 32 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 42 31 56 50 33 53 41 32 67 57 65 64 2f 48 78 64 47 6a 39 7a 33 56 7a 5a 56 45 4b 55 71 77 76 46 47 50 2f 49 46 31 43 30 46 2b 61 75 63 5a 64 38 43 34 42 62 5a 33 51 55 5a 58 70 78 39 7a 52 74 35 2f 59 6a 69 50 4e 31 64 74 64 31 41 47 44 39 55 32 33 75 6c 30 68 4b 79 53 33 77 73 71 36 51 56 74 39 77 35 6e 72 30 53 5a 37 68 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 8PJpsfxYW0+shCSM.2Context: 7a9ee54aaeabe223<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdB1VP3SA2gWed/HxdGj9z3VzZVEKUqwvFGP/IF1C0F+aucZd8C4BbZ3QUZXpx9zRt5/YjiPN1dtd1AGD9U23ul0hKyS3wsq6QVt9w5nr0SZ7h
2024-09-17 18:27:29 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 38 50 4a 70 73 66 78 59 57 30 2b 73 68 43 53 4d 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 61 39 65 65 35 34 61 61 65 61 62 65 32 32 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 8PJpsfxYW0+shCSM.3Context: 7a9ee54aaeabe223<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-17 18:27:29 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-17 18:27:29 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6e 46 44 57 70 6b 36 45 35 30 57 51 66 64 4a 61 6c 69 31 6a 45 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: nFDWpk6E50WQfdJali1jEw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.6	51985	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-09-17 18:28:24 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 49 4a 55 65 5a 34 31 49 62 6b 75 6f 6f 31 71 4d 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 33 36 30 65 61 66 62 30 65 34 66 66 30 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: IJUeZ41Ibkuoo1qM.1Context: e360eafb0e4ff02
2024-09-17 18:28:24 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-17 18:28:24 UTC	1083	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 49 4a 55 65 5a 34 31 49 62 6b 75 6f 6f 31 71 4d 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 33 36 30 65 61 66 62 30 65 34 66 66 30 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 42 31 56 50 33 53 41 32 67 57 65 64 2f 48 78 64 47 6a 39 7a 33 56 7a 5a 56 45 4b 55 71 77 76 46 47 50 2f 49 46 31 43 30 46 2b 61 75 63 5a 64 38 43 34 42 62 5a 33 51 55 5a 58 70 78 39 7a 52 74 35 2f 59 6a 69 50 4e 31 64 74 64 31 41 47 44 39 55 32 33 75 6c 30 68 4b 79 53 33 77 73 71 36 51 56 74 39 77 35 6e 72 30 53 5a 37 68 31 Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: IJUeZ41Ibkuoo1qM.2Context: e360eafb0e4ff02<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdB1VP3SA2gWed/HxdGj9z3VzZVEKUqwvFGP/IF1C0F+aucZd8C4BbZ3QUZXpx9zRt5/YjiPN1dtd1AGD9U23ul0hKyS3wsq6QVt9w5nr0SZ7h1
2024-09-17 18:28:24 UTC	217	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 49 4a 55 65 5a 34 31 49 62 6b 75 6f 6f 31 71 4d 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 33 36 30 65 61 66 62 30 65 34 66 66 30 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 196MS-CV: IJUeZ41Ibkuoo1qM.3Context: e360eafb0e4ff02<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-17 18:28:25 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-17 18:28:25 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 46 78 78 2b 79 37 30 66 65 6b 75 34 2b 37 50 4f 52 7a 57 5a 41 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Fxx+y70feku4+7PORzWZAQ.0Payload parsing failed.

Statistics

CPU Usage

• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 1436, Parent PID: 5812

Function Logs

General

Target ID:	0
Start time:	14:25:40
Start date:	17/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ACH Payment Details_(Dcorbett)CQDM.html"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5052, Parent PID: 1436

Function Logs

General

Target ID:	2
Start time:	14:25:44
Start date:	17/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=1924,i,2439778999610996347,7255612292561947748,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ACH Payment Details_(Dcorbett)CQDM.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\Filtering Rules

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\LICENSE.txt

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1286968575\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1531919242\sets.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\_platform_specific\win_x64\widevinecdm.dll.sig

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1708242531\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\cr_en-us_500000_index.bin

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_1949145774\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_289466839\optimization-hints.pb

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\Google.Widevine.CDM.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1436_596117624\_metadata\verified_contents.json

Windows Analysis Report
ACH Payment Details_(Dcorbett)CQDM.html