Edit tour

Windows Analysis Report
https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP

Overview

General Information

Sample URL:	https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP
Analysis ID:	1540235
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6780 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1980,i,17698815162870580677,5405176908812632601,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5636 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49710 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YMvCC49WFUdmgcM&MD=nXKYRM3s HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YMvCC49WFUdmgcM&MD=nXKYRM3s HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: hnamedmr.ukremediatlon.co.uk
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49710 version: TLS 1.2

Source: classification engine

Classification label: mal48.win@24/8@40/3

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1980,i,17698815162870580677,5405176908812632601,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1980,i,17698815162870580677,5405176908812632601,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
google.com	216.58.206.78	true	false	unknown
www.google.com	142.250.185.196	true	false	unknown
hnamedmr.ukremediatlon.co.uk	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.185.196	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540235
Start date and time:	2024-10-23 15:34:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@24/8@40/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 142.250.185.174, 142.251.168.84, 34.104.35.123, 2.16.100.168, 142.250.184.238
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 12:34:37 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9738780907613704
Encrypted:	false
SSDEEP:	48:88dWcT2ABMHSidAKZdA1FehwiZUklqehgy+3:8KHd/y
MD5:	84032560D393C3848661B12FA466D86E
SHA1:	5F269FD5529AE17CD3A36BF4C2682B98C25B87FB
SHA-256:	D98B080DA29F50C99B7223E7F28DCD1AF3462A89D494B13A394008A53C189A58
SHA-512:	6D13E89C3DE6F6923FF98BF6AD77C0EC905F24D203072BE5343604315D9A9C3154945BBE3B56F8550D16302D18ED60D377965DD90A1EED6930156E283E95AB09
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......MP%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYJl....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYRl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYRl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYRl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYSl...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........gBP`.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 12:34:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9884771881665717
Encrypted:	false
SSDEEP:	48:8qdWcT2ABMHSidAKZdA1seh/iZUkAQkqehvy+2:84HT9QWy
MD5:	13855A827BFAE9E57C4C5747E116D0A9
SHA1:	0B9155ED715C0AEBE4F1253DD1E5EDC23C036B30
SHA-256:	3FB2F24D0B0386C313A665D140A4CCD4DC27201931E508603AEEA4388B46BA23
SHA-512:	83838860585412492A2B67A9DD081E0095D59D35E3DF112D302E548C1F1D0B7396E23B2293B5F6ACB5C33B71DC05DA593531DA62A430B5E54DAC612BCE53AE02
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....B].MP%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYJl....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYRl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYRl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYRl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYSl...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........gBP`.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	3.9983626011406463
Encrypted:	false
SSDEEP:	48:82dWcT2ABAHSidAKZdA14meh7sFiZUkmgqeh7sly+BX:8UHjnLy
MD5:	19E01075D42545B2447E7BCCCAEA5783
SHA1:	A646326406B6696B1994437616BB0C7D70AA4B37
SHA-256:	691092A2565C6A531E4B24C7C1C1B35EBEC7FDD1553C7EC8440B50BFFB9F55E2
SHA-512:	45513E523A2CB70D03DB0FB0174C661FD60C361178CFB53E1994F20793647D6E4BD33D19CE7ABCEE899977A44D6B5F83C6096BEB8C4292D32C1CD98CBB816F34
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYJl....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYRl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYRl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYRl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........gBP`.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 12:34:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9847314410779817
Encrypted:	false
SSDEEP:	48:8PdWcT2ABMHSidAKZdA1TehDiZUkwqehTy+R:8PHgNy
MD5:	0D969F005DC354FCBAA43B176BF288C8
SHA1:	A79C5DA150CD6131689DF536632B96D843B82894
SHA-256:	ADEB956A08E1D55CD780772B62D69E200FC92F2F8CA0AFCD9DF2607D9DDC9A8F
SHA-512:	9ED0991EE54424F4BB759D9D1ACE31AABFE22992E82A745525C3FD6A5A891CDF430ADE033D12F7E6F44F7DC3304DC48A9835F837F821DA448E1AC9E37DC758D0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....S..MP%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYJl....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYRl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYRl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYRl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYSl...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........gBP`.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 12:34:37 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.972114248450763
Encrypted:	false
SSDEEP:	48:8rdWcT2ABMHSidAKZdA1dehBiZUk1W1qehBy+C:8bHg9hy
MD5:	E70B6A1CECC4A022FBB55D16CACDE99E
SHA1:	D2345BE4C7F5C374BB6EEEB3DEE42F2DA2E50F75
SHA-256:	3683B01D82F13716217DE527A2276F0F07B94AEF86DBB313D7653B0DC21DDB64
SHA-512:	3E51434505CA0F09029FE796EC36127D330D68BC66B3F12D0A8E597B370F9A91FA5BDA81ED9D37E3803EE8125AB90BFCB7644C23C416E9ED5FE19D1527F3EBDC
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....).MP%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYJl....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYRl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYRl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYRl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYSl...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........gBP`.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 12:34:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.982192522366319
Encrypted:	false
SSDEEP:	48:86dWcT2ABMHSidAKZdA1duTeehOuTbbiZUk5OjqehOuTbLy+yT+:8oHyTfTbxWOvTbLy7T
MD5:	11B5B4292F5570965E095A7DD40CF345
SHA1:	9AABBE848E710A7F9E93CA9EF7641060D3EE5E5A
SHA-256:	A67B6FEC134EDB21BB0356F0EBBD442701F7AA6C2F4855202352E352D83AB7EF
SHA-512:	F07925D5A20BD9B787681402CB7B9E8FDACACC3AD6ACFE2117A2D4FF5589F3F8FEE3C55805666317FB8EC0FAF15D060295BD05D2CC1729E8B124954D49B680B9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......MP%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYJl....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYRl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYRl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYRl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYSl...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........gBP`.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 56

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (768)
Category:	downloaded
Size (bytes):	773
Entropy (8bit):	5.141042093532727
Encrypted:	false
SSDEEP:	24:uBKjdpRBHslgT9lCuABuoB7HHHHHHHYqmffffffo:uBKjdpRKlgZ01BuSEqmffffffo
MD5:	54F80094A832453631DF5DE4E8A41BFB
SHA1:	8726BD0F503198157FCB584387FCEE6F318D882C
SHA-256:	C29204721A2B4C679B3C6B9113A622ABBE96168CF7C7FFE8503CE2F634B24336
SHA-512:	AD1734506AB44B4FBF61D872C828B7A5AF6FE540DF5CF33F42D068015608759513550332FB21FA57B799815314B259518FBF6AFA2323C5238D4C3B2F77A38F4C
Malicious:	false
Reputation:	low
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["wicked coffee drinks","marvel blade movie","nba power rankings","hurricane season florida","ps5 system software update","philadelphia portal art installation","rufus du sol presale codes","911 outage connecticut"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 15:34:40.262737989 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 23, 2024 15:34:40.566159964 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 23, 2024 15:34:40.763989925 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:40.764024973 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:40.764102936 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:40.764348984 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:40.764365911 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:41.170177937 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 23, 2024 15:34:41.626486063 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:41.626800060 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:41.626827002 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:41.628511906 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:41.628612995 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:41.629692078 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:41.629796982 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:41.681231022 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:41.681267023 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:41.728231907 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:42.377245903 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 23, 2024 15:34:43.366564035 CEST	49689	80	192.168.2.16	192.229.211.108
Oct 23, 2024 15:34:44.791156054 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 23, 2024 15:34:45.766979933 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:45.807343006 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:46.037692070 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:46.083172083 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:46.083198071 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:46.084203959 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:46.084305048 CEST	443	49701	142.250.185.196	192.168.2.16
Oct 23, 2024 15:34:46.084368944 CEST	49701	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:34:46.546021938 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:46.546083927 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:46.546180010 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:46.547847033 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:46.547861099 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.407882929 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.407972097 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.412260056 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.412281990 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.412702084 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.449758053 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.491343021 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.696706057 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.696791887 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.696867943 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.696938992 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.696962118 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.697067022 CEST	49707	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.697074890 CEST	443	49707	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.728596926 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.728661060 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:47.728748083 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.728993893 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:47.729008913 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:48.428498983 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 23, 2024 15:34:48.460335016 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:48.460381031 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:48.460465908 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:48.461452007 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:48.461463928 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:48.579869032 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:48.579966068 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:48.581072092 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:48.581082106 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:48.581336975 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:48.582490921 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:48.627334118 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:48.731792927 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 23, 2024 15:34:48.828763008 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:48.828835964 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:48.828891039 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:48.829715014 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:48.829735994 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:48.829770088 CEST	49708	443	192.168.2.16	184.28.90.27
Oct 23, 2024 15:34:48.829775095 CEST	443	49708	184.28.90.27	192.168.2.16
Oct 23, 2024 15:34:49.337949991 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 23, 2024 15:34:49.396763086 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.396898985 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.399483919 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.399497986 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.399831057 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.447187901 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.461472988 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.503340960 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.591177940 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 23, 2024 15:34:49.761332035 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.761363983 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.761373043 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.761571884 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.761626005 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.761636972 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.761670113 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.761692047 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.761692047 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.761714935 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.762171984 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.762243986 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.762253046 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.762271881 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.762320042 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.772763014 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.772792101 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:49.772805929 CEST	49709	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:34:49.772814035 CEST	443	49709	52.149.20.212	192.168.2.16
Oct 23, 2024 15:34:50.547180891 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 23, 2024 15:34:52.898344040 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 23, 2024 15:34:52.962172031 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 23, 2024 15:34:53.202183008 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 23, 2024 15:34:53.810189009 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 23, 2024 15:34:55.025250912 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 23, 2024 15:34:57.432255030 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 23, 2024 15:34:57.767236948 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 23, 2024 15:34:59.206183910 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 23, 2024 15:35:02.239207983 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 23, 2024 15:35:07.368252039 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 23, 2024 15:35:11.842339993 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 23, 2024 15:35:26.266515017 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:26.266582966 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:26.266676903 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:26.267172098 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:26.267190933 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.174576998 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.174659014 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.175961018 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.175970078 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.176194906 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.177566051 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.219326019 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.477996111 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.478022099 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.478037119 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.478133917 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.478156090 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.478202105 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.479808092 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.479851007 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.479868889 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.479875088 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.479912996 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.480118036 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.480156898 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.481134892 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.481153011 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:27.481168032 CEST	49710	443	192.168.2.16	52.149.20.212
Oct 23, 2024 15:35:27.481174946 CEST	443	49710	52.149.20.212	192.168.2.16
Oct 23, 2024 15:35:40.820358992 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:40.820419073 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:40.820508003 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:40.820732117 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:40.820743084 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:41.686849117 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:41.687213898 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:41.687247038 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:41.688849926 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:41.689009905 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:41.689220905 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:41.689294100 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:41.730389118 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:41.730422020 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:41.778343916 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:51.937887907 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:51.937969923 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:35:51.938045025 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:52.194153070 CEST	49712	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:35:52.194195986 CEST	443	49712	142.250.185.196	192.168.2.16
Oct 23, 2024 15:36:40.885282993 CEST	49714	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:36:40.885332108 CEST	443	49714	142.250.185.196	192.168.2.16
Oct 23, 2024 15:36:40.885418892 CEST	49714	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:36:40.885658979 CEST	49714	443	192.168.2.16	142.250.185.196
Oct 23, 2024 15:36:40.885668993 CEST	443	49714	142.250.185.196	192.168.2.16
Oct 23, 2024 15:36:41.770134926 CEST	443	49714	142.250.185.196	192.168.2.16
Oct 23, 2024 15:36:41.825423002 CEST	49714	443	192.168.2.16	142.250.185.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 15:34:35.910243034 CEST	53	57434	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:35.985285044 CEST	53	59235	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:36.852956057 CEST	49609	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:36.852956057 CEST	64506	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:36.864411116 CEST	53	49609	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:36.864777088 CEST	55448	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:36.867429018 CEST	53	64506	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:36.867706060 CEST	49290	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:36.878151894 CEST	53	55448	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:36.878899097 CEST	64972	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:36.879734993 CEST	53	49290	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:36.890566111 CEST	53	64972	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:36.929270983 CEST	57111	53	192.168.2.16	8.8.8.8
Oct 23, 2024 15:34:36.929558039 CEST	53823	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:36.937541962 CEST	53	57111	8.8.8.8	192.168.2.16
Oct 23, 2024 15:34:36.938184023 CEST	53	53823	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:37.215333939 CEST	53	60684	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:37.943830013 CEST	55434	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:37.943907976 CEST	63661	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:37.954730988 CEST	53	55434	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:37.955163956 CEST	55053	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:37.955240011 CEST	53	63661	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:37.955501080 CEST	64517	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:37.966814995 CEST	53	55053	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:37.967539072 CEST	53	64517	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:40.753994942 CEST	59719	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:40.754242897 CEST	53855	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:40.763118029 CEST	53	59719	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:40.763160944 CEST	53	53855	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:41.408016920 CEST	51825	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:41.408135891 CEST	53351	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:41.420398951 CEST	53	51825	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:41.420489073 CEST	53	53351	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:41.420872927 CEST	61225	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:41.420917034 CEST	54097	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:41.432488918 CEST	53	61225	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:41.433159113 CEST	58564	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:41.434695959 CEST	53	54097	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:41.445365906 CEST	53	58564	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:42.423871994 CEST	51398	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:42.424010038 CEST	62198	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:42.434287071 CEST	53	51398	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:42.434632063 CEST	60423	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:42.435388088 CEST	53	62198	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:42.435628891 CEST	53772	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:42.445504904 CEST	53	60423	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:42.448766947 CEST	53	53772	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:42.453430891 CEST	50465	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:42.453835964 CEST	56545	53	192.168.2.16	8.8.8.8
Oct 23, 2024 15:34:42.460731983 CEST	53	50465	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:42.461363077 CEST	53	56545	8.8.8.8	192.168.2.16
Oct 23, 2024 15:34:47.462220907 CEST	56633	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:47.462378025 CEST	52179	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:47.473149061 CEST	53	52179	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:47.473165035 CEST	53	56633	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:47.473512888 CEST	58295	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:47.474602938 CEST	54838	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:47.481873035 CEST	53	54838	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:47.482506037 CEST	49555	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:34:47.484942913 CEST	53	58295	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:47.493577003 CEST	53	49555	1.1.1.1	192.168.2.16
Oct 23, 2024 15:34:54.202913046 CEST	53	57793	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:12.906110048 CEST	53	53570	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:17.515475988 CEST	64722	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:35:17.515680075 CEST	65327	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:35:17.528402090 CEST	53	64722	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:17.528614044 CEST	53	65327	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:17.528913975 CEST	61321	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:35:17.529145956 CEST	62489	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:35:17.541300058 CEST	53	62489	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:17.541601896 CEST	53	61321	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:17.542222023 CEST	51188	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:35:17.550313950 CEST	53	51188	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:35.489953041 CEST	53	57395	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:35.893460989 CEST	53	53906	1.1.1.1	192.168.2.16
Oct 23, 2024 15:35:44.600260973 CEST	138	138	192.168.2.16	192.168.2.255
Oct 23, 2024 15:35:49.146024942 CEST	60495	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:35:49.157705069 CEST	53	60495	1.1.1.1	192.168.2.16
Oct 23, 2024 15:36:04.578252077 CEST	53	53776	1.1.1.1	192.168.2.16
Oct 23, 2024 15:36:17.565535069 CEST	57341	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:36:17.565772057 CEST	52481	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:36:17.641803026 CEST	53	57341	1.1.1.1	192.168.2.16
Oct 23, 2024 15:36:17.642210960 CEST	53	52481	1.1.1.1	192.168.2.16
Oct 23, 2024 15:36:17.642380953 CEST	64163	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:36:17.642596960 CEST	63323	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:36:17.653541088 CEST	53	63323	1.1.1.1	192.168.2.16
Oct 23, 2024 15:36:17.654057026 CEST	53	64163	1.1.1.1	192.168.2.16
Oct 23, 2024 15:36:17.655002117 CEST	57187	53	192.168.2.16	1.1.1.1
Oct 23, 2024 15:36:17.665945053 CEST	53	57187	1.1.1.1	192.168.2.16

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 23, 2024 15:34:36.880166054 CEST	192.168.2.16	1.1.1.1	c1fe	(Port unreachable)	Destination Unreachable
Oct 23, 2024 15:34:37.969846010 CEST	192.168.2.16	1.1.1.1	c1fe	(Port unreachable)	Destination Unreachable
Oct 23, 2024 15:34:41.434787035 CEST	192.168.2.16	1.1.1.1	c1fe	(Port unreachable)	Destination Unreachable
Oct 23, 2024 15:34:42.449474096 CEST	192.168.2.16	1.1.1.1	c1fe	(Port unreachable)	Destination Unreachable
Oct 23, 2024 15:34:47.485008955 CEST	192.168.2.16	1.1.1.1	c1fe	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 23, 2024 15:34:36.852956057 CEST	192.168.2.16	1.1.1.1	0x80e5	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:36.852956057 CEST	192.168.2.16	1.1.1.1	0x1d8d	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:36.864777088 CEST	192.168.2.16	1.1.1.1	0x65a9	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:36.867706060 CEST	192.168.2.16	1.1.1.1	0xf788	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:36.878899097 CEST	192.168.2.16	1.1.1.1	0xc06b	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:36.929270983 CEST	192.168.2.16	8.8.8.8	0x4752	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:36.929558039 CEST	192.168.2.16	1.1.1.1	0xf0e5	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:37.943830013 CEST	192.168.2.16	1.1.1.1	0xdfa	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:37.943907976 CEST	192.168.2.16	1.1.1.1	0xbbc	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:37.955163956 CEST	192.168.2.16	1.1.1.1	0x33e7	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:37.955501080 CEST	192.168.2.16	1.1.1.1	0xb94d	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:40.753994942 CEST	192.168.2.16	1.1.1.1	0x4257	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:40.754242897 CEST	192.168.2.16	1.1.1.1	0x368a	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 23, 2024 15:34:41.408016920 CEST	192.168.2.16	1.1.1.1	0xe293	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:41.408135891 CEST	192.168.2.16	1.1.1.1	0x49df	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:41.420872927 CEST	192.168.2.16	1.1.1.1	0x67a1	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:41.420917034 CEST	192.168.2.16	1.1.1.1	0x88bb	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:41.433159113 CEST	192.168.2.16	1.1.1.1	0xf16b	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:42.423871994 CEST	192.168.2.16	1.1.1.1	0xbd82	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:42.424010038 CEST	192.168.2.16	1.1.1.1	0x9b70	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:42.434632063 CEST	192.168.2.16	1.1.1.1	0x8261	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:42.435628891 CEST	192.168.2.16	1.1.1.1	0x45fa	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:42.453430891 CEST	192.168.2.16	1.1.1.1	0x3ed2	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:42.453835964 CEST	192.168.2.16	8.8.8.8	0x6851	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:47.462220907 CEST	192.168.2.16	1.1.1.1	0x231d	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:47.462378025 CEST	192.168.2.16	1.1.1.1	0x47d6	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:47.473512888 CEST	192.168.2.16	1.1.1.1	0x8c4d	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:34:47.474602938 CEST	192.168.2.16	1.1.1.1	0xc57f	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:47.482506037 CEST	192.168.2.16	1.1.1.1	0xd7e6	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:35:17.515475988 CEST	192.168.2.16	1.1.1.1	0x654	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:35:17.515680075 CEST	192.168.2.16	1.1.1.1	0x877f	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:35:17.528913975 CEST	192.168.2.16	1.1.1.1	0x3cae	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:35:17.529145956 CEST	192.168.2.16	1.1.1.1	0x90a	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:35:17.542222023 CEST	192.168.2.16	1.1.1.1	0x735f	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:35:49.146024942 CEST	192.168.2.16	1.1.1.1	0xccf9	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:36:17.565535069 CEST	192.168.2.16	1.1.1.1	0xe294	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:36:17.565772057 CEST	192.168.2.16	1.1.1.1	0x877e	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:36:17.642380953 CEST	192.168.2.16	1.1.1.1	0xe52	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:36:17.642596960 CEST	192.168.2.16	1.1.1.1	0x69c6	Standard query (0)	hnamedmr.ukremediatlon.co.uk	65	IN (0x0001)	false
Oct 23, 2024 15:36:17.655002117 CEST	192.168.2.16	1.1.1.1	0x58df	Standard query (0)	hnamedmr.ukremediatlon.co.uk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 23, 2024 15:34:36.864411116 CEST	1.1.1.1	192.168.2.16	0x80e5	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:36.867429018 CEST	1.1.1.1	192.168.2.16	0x1d8d	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:36.878151894 CEST	1.1.1.1	192.168.2.16	0x65a9	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:36.879734993 CEST	1.1.1.1	192.168.2.16	0xf788	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:36.890566111 CEST	1.1.1.1	192.168.2.16	0xc06b	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:36.937541962 CEST	8.8.8.8	192.168.2.16	0x4752	No error (0)	google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:36.938184023 CEST	1.1.1.1	192.168.2.16	0xf0e5	No error (0)	google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:37.954730988 CEST	1.1.1.1	192.168.2.16	0xdfa	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:37.955240011 CEST	1.1.1.1	192.168.2.16	0xbbc	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:37.966814995 CEST	1.1.1.1	192.168.2.16	0x33e7	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:37.967539072 CEST	1.1.1.1	192.168.2.16	0xb94d	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:40.763118029 CEST	1.1.1.1	192.168.2.16	0x4257	No error (0)	www.google.com		142.250.185.196	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:40.763160944 CEST	1.1.1.1	192.168.2.16	0x368a	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 23, 2024 15:34:41.420398951 CEST	1.1.1.1	192.168.2.16	0xe293	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:41.420489073 CEST	1.1.1.1	192.168.2.16	0x49df	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:41.432488918 CEST	1.1.1.1	192.168.2.16	0x67a1	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:41.434695959 CEST	1.1.1.1	192.168.2.16	0x88bb	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:41.445365906 CEST	1.1.1.1	192.168.2.16	0xf16b	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:42.434287071 CEST	1.1.1.1	192.168.2.16	0xbd82	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:42.435388088 CEST	1.1.1.1	192.168.2.16	0x9b70	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:42.445504904 CEST	1.1.1.1	192.168.2.16	0x8261	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:42.448766947 CEST	1.1.1.1	192.168.2.16	0x45fa	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:42.460731983 CEST	1.1.1.1	192.168.2.16	0x3ed2	No error (0)	google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:42.461363077 CEST	8.8.8.8	192.168.2.16	0x6851	No error (0)	google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:47.473149061 CEST	1.1.1.1	192.168.2.16	0x47d6	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:47.473165035 CEST	1.1.1.1	192.168.2.16	0x231d	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:47.481873035 CEST	1.1.1.1	192.168.2.16	0xc57f	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:34:47.484942913 CEST	1.1.1.1	192.168.2.16	0x8c4d	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:34:47.493577003 CEST	1.1.1.1	192.168.2.16	0xd7e6	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:35:17.528402090 CEST	1.1.1.1	192.168.2.16	0x654	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:35:17.528614044 CEST	1.1.1.1	192.168.2.16	0x877f	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:35:17.541300058 CEST	1.1.1.1	192.168.2.16	0x90a	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:35:17.541601896 CEST	1.1.1.1	192.168.2.16	0x3cae	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:35:17.550313950 CEST	1.1.1.1	192.168.2.16	0x735f	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:35:49.157705069 CEST	1.1.1.1	192.168.2.16	0xccf9	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:36:17.641803026 CEST	1.1.1.1	192.168.2.16	0xe294	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:36:17.642210960 CEST	1.1.1.1	192.168.2.16	0x877e	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:36:17.653541088 CEST	1.1.1.1	192.168.2.16	0x69c6	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	65	IN (0x0001)	false
Oct 23, 2024 15:36:17.654057026 CEST	1.1.1.1	192.168.2.16	0xe52	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:36:17.665945053 CEST	1.1.1.1	192.168.2.16	0x58df	Server failure (2)	hnamedmr.ukremediatlon.co.uk	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49701	142.250.185.196	443	6780	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:34:45 UTC	613	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:34:46 UTC	1266	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 13:34:45 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-j8lZgPYyTyrReQHh64Vcmw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-23 13:34:46 UTC	112	IN	Data Raw: 33 30 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 77 69 63 6b 65 64 20 63 6f 66 66 65 65 20 64 72 69 6e 6b 73 22 2c 22 6d 61 72 76 65 6c 20 62 6c 61 64 65 20 6d 6f 76 69 65 22 2c 22 6e 62 61 20 70 6f 77 65 72 20 72 61 6e 6b 69 6e 67 73 22 2c 22 68 75 72 72 69 63 61 6e 65 20 73 65 61 73 6f 6e 20 66 6c 6f 72 69 64 61 22 2c 22 70 73 35 20 Data Ascii: 305)]}'["",["wicked coffee drinks","marvel blade movie","nba power rankings","hurricane season florida","ps5
2024-10-23 13:34:46 UTC	668	IN	Data Raw: 73 79 73 74 65 6d 20 73 6f 66 74 77 61 72 65 20 75 70 64 61 74 65 22 2c 22 70 68 69 6c 61 64 65 6c 70 68 69 61 20 70 6f 72 74 61 6c 20 61 72 74 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 22 2c 22 72 75 66 75 73 20 64 75 20 73 6f 6c 20 70 72 65 73 61 6c 65 20 63 6f 64 65 73 22 2c 22 39 31 31 20 6f 75 74 61 67 65 20 63 6f 6e 6e 65 63 74 69 63 75 74 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 6d 4e 6f 5a 58 4d 5c 75 30 30 33 Data Ascii: system software update","philadelphia portal art installation","rufus du sol presale codes","911 outage connecticut"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003
2024-10-23 13:34:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49707	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:34:47 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-23 13:34:47 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=97885 Date: Wed, 23 Oct 2024 13:34:47 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49708	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:34:48 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-23 13:34:48 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=97853 Date: Wed, 23 Oct 2024 13:34:48 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-23 13:34:48 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.16	49709	52.149.20.212	443

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:34:49 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YMvCC49WFUdmgcM&MD=nXKYRM3s HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-23 13:34:49 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 492aafdd-79ce-4d19-8746-94f65b018cbf MS-RequestId: 3780a573-ce61-4373-b6b5-a8f710d5deb8 MS-CV: l0tRjYr87kCFTtX3.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 23 Oct 2024 13:34:49 GMT Connection: close Content-Length: 24490
2024-10-23 13:34:49 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-23 13:34:49 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.16	49710	52.149.20.212	443

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:35:27 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YMvCC49WFUdmgcM&MD=nXKYRM3s HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-23 13:35:27 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 4c2c1a11-5494-49ce-a341-8cf94e1fa171 MS-RequestId: 932c25db-842d-4a40-955d-331cb5dab641 MS-CV: SVXVCGUB7U+dN0cT.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 23 Oct 2024 13:35:26 GMT Connection: close Content-Length: 30005
2024-10-23 13:35:27 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-23 13:35:27 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 6312, Parent PID: 4720

General

Target ID:	0
Start time:	09:34:34
Start date:	23/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6780, Parent PID: 6312

General

Target ID:	1
Start time:	09:34:34
Start date:	23/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1980,i,17698815162870580677,5405176908812632601,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5636, Parent PID: 4720

General

Target ID:	2
Start time:	09:34:35
Start date:	23/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 56

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6312, Parent PID: 4720

General

Chronological Activities

Analysis Process: chrome.exePID: 6780, Parent PID: 6312

General

Chronological Activities

Analysis Process: chrome.exePID: 5636, Parent PID: 4720

Windows Analysis Report
https://hnamedmr.ukremediatlon.co.uk/LVGwXwqP