Edit tour

Windows Analysis Report
https://gop-win.co/k3I0yr

Overview

General Information

Sample URL:	https://gop-win.co/k3I0yr
Analysis ID:	1540236
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected non-DNS traffic on DNS port

Detected suspicious crossdomain redirect

HTTP GET or POST without a user agent

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6812 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 7040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,12194626097471155259,2016964568004695182,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 5648 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://gop-win.co/k3I0yr" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13

Source: global traffic	HTTP traffic detected: GET /k3I0yr HTTP/1.1Host: gop-win.coConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xrEGEK5HvhS+lcb&MD=BpA6rrL6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=go&oit=1&cp=2&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop.&oit=1&cp=4&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop&oit=1&cp=3&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop-win&oit=1&cp=7&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop-win.com&oit=3&cp=11&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop-win.co&oit=3&cp=10&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: gop-win.coConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: gop-win.coConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xrEGEK5HvhS+lcb&MD=BpA6rrL6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAb5G6NOO6clpDSRroKoZlJIHWd19ow0GV0DhcMtQSvsqXeExJtZ5JiwiI55yIDVq6WT1Zb8HnEtk99/LtfJHDbqZVgeBwx3Z1z6ch5c/4Fy2VCpewCQLKcViiqHxskR5Qq9NL9MkON2h0DORsC9Pe/H%2BRNfTSiqJDN9ncl%2B9RnIM2zIZHVcOy/mMUJJZ2ZGDLzek73F9ENxO6Rd794UhgTEV9P72mH%2BhzZ2IrfNmWBdNCf66M5YYhPZPZgtHyGErWTW5SrakD5/aO5%2BcPq2oZ2HX6eOMnWq4Un3qCEzq5nvxYrxmSh6j4C4BHc7IvInrA7%2Bxgu4KkjQYKIyO96Trvl8QZgAAELdrLep4nrTbUzNFC7dWScWwARWbv24pJH9dlPm2iiwtPnQHQ0iP7Wa4akZC6eCUePS0kYaP3LpeUYnk1f1YSJYX8T8nxQVrarEPBnjW%2BsDYWM0zf08q54MDcMICIpKRz%2Bvl/ZGs5%2BPJ%2BQjJKW/wn%2BuSk7%2B5TvD%2BAbzEwTrpcKIPCNB5Cd7bdp0hd%2B4NKOAvOrElyuw0X0volWP1SC6pIeYU3JTtQEhXJndyIK5Z4KrE6cUMMu69QyoNA1tAB9vg9TCcH%2B9f9iJyJ03A7QEdTO2g50MXjWy8jeoqMvbBNDfh4LFSGivxosMCvlavClVkXVmWGX48Q84nuDwvv2KoXQKDLAmYbSe0O10BpGqxWjpqa6pEMF4eL09JwEe/fsFO%2Buam6ZVi9jLeqivl4s95ZfU7%2Bsyp75lSw8fILFjTPkhWTemqdMibnaTAgB9wQOJtD3AHbIc0wSawT/T7NOtGaOLexkQKCYxxU17Cos6jItEs9eiZmAR13JBbzD7PE7IxLmE/CQcvTQtK07ui3IE%2B/5E7bsbB/xCdKjNYatIA0o7FzFGjKGuyu19kc9WQH3ZONcfvJDGbD%2B3gx0fEr64BKCN2OdoB%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1729690663User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 9CB8EE4BF29C4B00A5ECADD9B0898727X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: gop-win.coConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: gop-win.co
Source: global traffic	DNS traffic detected: DNS query: not-found.domain
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: chromecache_146.1.dr	String found in binary or memory: http://gop.com
Source: chromecache_146.1.dr	String found in binary or memory: http://gop.com/2024gotv
Source: chromecache_146.1.dr	String found in binary or memory: http://gop.gov
Source: chromecache_147.1.dr, chromecache_154.1.dr, chromecache_148.1.dr	String found in binary or memory: http://gopwin.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.76:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.135:443 -> 192.168.2.17:49737 version: TLS 1.2

Source: classification engine

Classification label: clean2.win@32/26@36/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,12194626097471155259,2016964568004695182,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://gop-win.co/k3I0yr"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,12194626097471155259,2016964568004695182,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
google.com	142.250.74.206	true	false	unknown
www.google.com	142.250.186.100	true	false	unknown
gop-win.co	3.33.253.57	true	false	unknown
not-found.domain	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop-win&oit=1&cp=7&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop&oit=1&cp=3&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop-win.co&oit=3&cp=10&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=go&oit=1&cp=2&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	unknown
https://gop-win.co/	false	unknown
http://gop-win.co/	false	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop.&oit=1&cp=4&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	unknown
https://gop-win.co/k3I0yr	false	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop-win.com&oit=3&cp=11&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://gop.gov	chromecache_146.1.dr	false	unknown
http://gopwin.com	chromecache_147.1.dr, chromecache_154.1.dr, chromecache_148.1.dr	false	unknown
http://gop.com	chromecache_146.1.dr	false	unknown
http://gop.com/2024gotv	chromecache_146.1.dr	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.33.253.57	gop-win.co	United States	8987	AMAZONEXPANSIONGB	false
13.248.192.114	unknown	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.100	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540236
Start date and time:	2024-10-23 15:36:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://gop-win.co/k3I0yr
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.win@32/26@36/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, TextInputHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 142.250.186.46, 142.251.168.84, 34.104.35.123, 192.229.221.95, 217.20.57.18, 142.250.185.206, 142.250.185.195, 199.232.214.172, 142.250.185.238
Excluded domains from analysis (whitelisted): www.bing.com, clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, encrypted-tbn0.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, login.live.com, evoke-windowsservices-tas.msedge.net, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: https://gop-win.co/k3I0yr

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 12:36:59 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.98145006357711
Encrypted:	false
SSDEEP:	48:8MgV+dTTk7pLH3idAKZdA1JehwiZUklqehNy+3:8MgVOARqy
MD5:	0A44656B7E0D0C8597A53D0C1B53F0CD
SHA1:	FA05400BA39D761BEFE10B8AE98F119A0BADE1B1
SHA-256:	EFFE5C5213B632ACB6B8B1950E4C5C46A8B69F849AD75DDBE4908DC13E30906C
SHA-512:	86AE0920C2FCE60B5830469714E2CCD9A49E2688E27BEE3A63195843F77B500D0D1B80943FD0650480732027B873DDBE305C7C7AD1DCDB5BD47752A66323B2A1
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......P%......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.IWY.l....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWY.l....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VWY.l....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VWY.l...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VWY.l...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........7........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	HTTP traffic: Redirect from: gop-win.co to https://not-found.domain/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	HTTP traffic: Redirect from: gop-win.co to https://not-found.domain/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	HTTP traffic: Redirect from: gop-win.co to https://not-found.domain/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	HTTP traffic: Redirect from: gop-win.co to https://not-found.domain/

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 15:36:58.004961967 CEST	53	64778	1.1.1.1	192.168.2.17
Oct 23, 2024 15:36:58.019098997 CEST	53	60215	1.1.1.1	192.168.2.17
Oct 23, 2024 15:36:59.266630888 CEST	53	61940	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:00.050179005 CEST	60754	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:00.050453901 CEST	50721	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:00.063332081 CEST	53	60754	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:00.065757990 CEST	53	50721	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:01.029735088 CEST	53302	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:01.029902935 CEST	63755	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:01.039390087 CEST	53	63755	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:01.046096087 CEST	53	53302	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:01.050406933 CEST	50531	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:01.060173988 CEST	53	50531	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:01.082351923 CEST	59621	53	192.168.2.17	8.8.8.8
Oct 23, 2024 15:37:01.083003044 CEST	63571	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:01.091007948 CEST	53	59621	8.8.8.8	192.168.2.17
Oct 23, 2024 15:37:01.091392994 CEST	53	63571	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:02.132582903 CEST	54282	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:02.134212017 CEST	60186	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:02.185219049 CEST	53	60186	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:02.185993910 CEST	53	54282	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:02.368463039 CEST	56397	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:02.368618011 CEST	64127	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:02.376127958 CEST	53	56397	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:02.376147032 CEST	53	64127	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:07.203809977 CEST	59898	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:07.204021931 CEST	53319	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:07.213710070 CEST	53	59898	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:07.219516039 CEST	53	53319	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:07.220271111 CEST	49547	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:07.229962111 CEST	53	49547	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:16.268229008 CEST	53	51039	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:19.424952030 CEST	53	64095	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:23.333990097 CEST	59837	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:23.334148884 CEST	56990	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:23.343446016 CEST	53	56990	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:23.349726915 CEST	53	59837	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:23.350480080 CEST	49763	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:23.366106033 CEST	53	49763	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:23.381251097 CEST	59250	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:23.381422043 CEST	65029	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:23.395905972 CEST	53	65029	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:23.402662039 CEST	53	59250	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:23.712352991 CEST	61814	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:23.712533951 CEST	50636	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:23.722373962 CEST	53	50636	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:23.733324051 CEST	53	61814	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:24.035337925 CEST	60283	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:24.035564899 CEST	50348	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:24.045697927 CEST	53	50348	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:24.051498890 CEST	53	60283	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:24.065160990 CEST	49507	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:24.065462112 CEST	50641	53	192.168.2.17	8.8.8.8
Oct 23, 2024 15:37:24.073141098 CEST	53	49507	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:24.074232101 CEST	53	50641	8.8.8.8	192.168.2.17
Oct 23, 2024 15:37:25.077415943 CEST	59607	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:25.077699900 CEST	62906	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:25.091952085 CEST	53	62906	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:25.093713045 CEST	53	59607	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:30.117674112 CEST	55524	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:30.117878914 CEST	60849	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:30.127023935 CEST	53	60849	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:30.134136915 CEST	53	55524	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:30.135088921 CEST	53982	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:37:30.150687933 CEST	53	53982	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:35.034153938 CEST	53	56353	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:36.055826902 CEST	53	62327	1.1.1.1	192.168.2.17
Oct 23, 2024 15:37:58.009267092 CEST	53	57541	1.1.1.1	192.168.2.17
Oct 23, 2024 15:38:00.171335936 CEST	64531	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:38:00.171587944 CEST	60545	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:38:00.187158108 CEST	53	64531	1.1.1.1	192.168.2.17
Oct 23, 2024 15:38:00.187752008 CEST	53	60545	1.1.1.1	192.168.2.17
Oct 23, 2024 15:38:00.188486099 CEST	64684	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:38:00.208827019 CEST	53	64684	1.1.1.1	192.168.2.17
Oct 23, 2024 15:38:13.271843910 CEST	138	138	192.168.2.17	192.168.2.255
Oct 23, 2024 15:39:00.224082947 CEST	52928	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:39:00.224172115 CEST	49806	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:39:00.240859985 CEST	53	49806	1.1.1.1	192.168.2.17
Oct 23, 2024 15:39:00.240916967 CEST	53	52928	1.1.1.1	192.168.2.17
Oct 23, 2024 15:39:00.242041111 CEST	53971	53	192.168.2.17	1.1.1.1
Oct 23, 2024 15:39:00.253371954 CEST	53	53971	1.1.1.1	192.168.2.17

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 15:37:23.737581015 CEST	425	OUT	GET / HTTP/1.1 Host: gop-win.co Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Oct 23, 2024 15:37:24.032633066 CEST	180	IN	HTTP/1.1 302 Found Date: Wed, 23 Oct 2024 13:37:23 GMT Content-Length: 0 Connection: keep-alive Location: https://not-found.domain/ Engine: Rebrandly.redirect, version 2.1
Oct 23, 2024 15:38:09.044621944 CEST	6	OUT	Data Raw: 00 Data Ascii:

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:00 UTC	659	OUT	GET /k3I0yr HTTP/1.1 Host: gop-win.co Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:37:01 UTC	220	IN	HTTP/1.1 302 Found Date: Wed, 23 Oct 2024 13:37:00 GMT Content-Length: 0 Connection: close Location: https://not-found.domain/ Engine: Rebrandly.redirect, version 2.1 Strict-Transport-Security: max-age=15552000

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:04 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xrEGEK5HvhS+lcb&MD=BpA6rrL6 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-23 13:37:05 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: ce068a69-c650-4ce3-a031-5054d6313d8b MS-RequestId: ea2b8ce6-6993-43e2-9f85-1dda5fb9467a MS-CV: 92WfYtcFmkiwu1Vs.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 23 Oct 2024 13:37:03 GMT Connection: close Content-Length: 24490
2024-10-23 13:37:05 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-23 13:37:05 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:14 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-23 13:37:15 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=97737 Date: Wed, 23 Oct 2024 13:37:15 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:15 UTC	621	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:37:16 UTC	1266	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 13:37:15 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-hiPs0sk-sSE7_FF7YkvElQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-23 13:37:16 UTC	112	IN	Data Raw: 61 61 33 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6e 61 76 79 20 61 76 69 61 74 6f 72 73 20 63 72 61 73 68 22 2c 22 62 61 74 6d 61 6e 20 61 72 6b 68 61 6d 20 73 68 61 64 6f 77 22 2c 22 6c 75 6c 75 6c 65 6d 6f 6e 20 6e 68 6c 20 61 70 70 61 72 65 6c 22 2c 22 68 75 72 72 69 63 61 6e 65 20 73 65 61 73 6f 6e 20 66 6c 6f 72 69 64 61 22 2c 22 Data Ascii: aa3)]}'["",["navy aviators crash","batman arkham shadow","lululemon nhl apparel","hurricane season florida","
2024-10-23 13:37:16 UTC	1378	IN	Data Raw: 72 75 66 75 73 20 64 75 20 73 6f 6c 20 70 72 65 73 61 6c 65 20 63 6f 64 65 73 22 2c 22 70 65 6e 74 61 67 6f 6e 22 2c 22 74 72 61 69 6c 20 6f 66 20 74 72 65 61 74 73 20 6d 6f 6e 6f 70 6f 6c 79 20 67 6f 20 72 65 77 61 72 64 73 22 2c 22 6c 6f 63 6b 68 65 65 64 20 6d 61 72 74 69 6e 20 73 74 6f 63 6b 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 6d 4e 6f 5a 58 4d 5c 75 30 30 33 64 22 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 Data Ascii: rufus du sol presale codes","pentagon","trail of treats monopoly go rewards","lockheed martin stock"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:sugge
2024-10-23 13:37:16 UTC	1240	IN	Data Raw: 43 74 73 5a 46 42 51 55 57 34 33 51 7a 49 76 59 31 6b 32 63 47 6c 35 4e 55 56 54 4d 45 4e 77 53 57 4e 42 54 47 35 4b 56 55 46 46 52 6b 78 5a 55 6a 68 5a 4d 6c 42 6d 53 58 68 46 62 32 35 54 54 46 51 72 51 31 42 32 54 6e 4e 32 62 47 78 46 51 30 5a 6b 4d 6e 64 33 64 7a 64 6b 56 6e 52 43 59 56 6b 33 59 56 45 30 65 6e 4e 35 52 33 6c 72 4e 6d 35 43 4c 32 56 6d 55 47 35 50 53 32 77 78 5a 46 56 58 62 33 56 74 4e 30 38 30 63 31 5a 79 4c 31 63 30 4f 47 73 79 51 30 56 77 51 32 35 54 65 6b 6c 54 63 47 78 54 4f 56 6c 70 4d 48 4a 54 63 48 68 6e 52 57 35 44 52 6b 55 33 4f 58 4e 45 57 46 67 33 4e 48 70 51 57 54 46 33 55 33 70 69 53 30 68 77 61 6d 39 6c 5a 6d 56 4f 54 47 6f 78 51 31 68 76 56 58 52 76 54 6e 52 4d 59 56 56 35 61 30 74 6a 56 57 70 6b 53 6c 56 6a 52 57 64 76 Data Ascii: CtsZFBQUW43QzIvY1k2cGl5NUVTMENwSWNBTG5KVUFFRkxZUjhZMlBmSXhFb25TTFQrQ1B2TnN2bGxFQ0ZkMnd3dzdkVnRCYVk3YVE0enN5R3lrNm5CL2VmUG5PS2wxZFVXb3VtN080c1ZyL1c0OGsyQ0VwQ25TeklTcGxTOVlpMHJTcHhnRW5DRkU3OXNEWFg3NHpQWTF3U3piS0hwam9lZmVOTGoxQ1hvVXRvTnRMYVV5a0tjVWpkSlVjRWdv
2024-10-23 13:37:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:16 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-23 13:37:16 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=97705 Date: Wed, 23 Oct 2024 13:37:16 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-23 13:37:16 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:17 UTC	658	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop.&oit=1&cp=4&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:37:18 UTC	1266	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 13:37:18 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-C8jnBCF2GfYiUedZG-304w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-23 13:37:18 UTC	112	IN	Data Raw: 32 34 32 0d 0a 29 5d 7d 27 0a 5b 22 67 6f 70 2e 22 2c 5b 22 67 6f 70 2e 70 6c 61 74 66 6f 72 6d 22 2c 22 67 6f 70 2e 63 6f 6d 20 70 6c 61 74 66 6f 72 6d 22 2c 22 67 6f 70 2e 64 61 74 61 20 63 65 6e 74 65 72 22 2c 22 67 6f 70 2e 63 6f 6d 20 70 68 6f 6e 65 20 6e 75 6d 62 65 72 22 2c 22 67 6f 70 2e 63 6f 6d 20 73 74 6f 72 65 22 2c 22 67 Data Ascii: 242)]}'["gop.",["gop.platform","gop.com platform","gop.data center","gop.com phone number","gop.com store","g
2024-10-23 13:37:18 UTC	473	IN	Data Raw: 6f 70 2e 6d 65 61 6e 69 6e 67 22 2c 22 67 6f 70 6c 2e 69 6f 22 2c 22 68 74 74 70 3a 2f 2f 67 6f 70 2e 63 6f 6d 22 2c 22 68 74 74 70 3a 2f 2f 67 6f 70 2e 67 6f 76 22 2c 22 68 74 74 70 3a 2f 2f 67 6f 70 2e 63 6f 6d 2f 32 30 32 34 67 6f 74 76 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 72 65 6c 65 76 61 6e 63 65 22 3a 5b 36 30 31 2c 36 30 30 2c 35 35 34 2c 35 35 33 2c 35 35 32 2c 35 35 31 2c 35 35 30 2c 34 30 32 2c 34 30 31 2c 34 30 30 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 Data Ascii: op.meaning","gopl.io","http://gop.com","http://gop.gov","http://gop.com/2024gotv"],["","","","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:suggestrelevance":[601,600,554,553,552,551,550,402,401,400],"google:suggestsubtype
2024-10-23 13:37:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:18 UTC	657	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop&oit=1&cp=3&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:37:19 UTC	1266	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 13:37:19 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-DLzV42tNOmfRU0g80B7jkg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-23 13:37:19 UTC	112	IN	Data Raw: 37 36 64 0d 0a 29 5d 7d 27 0a 5b 22 67 6f 70 22 2c 5b 22 67 6f 70 22 2c 22 67 6f 70 72 6f 22 2c 22 67 6f 70 72 6f 22 2c 22 67 6f 70 68 65 72 22 2c 22 67 6f 70 75 66 66 22 2c 22 67 6f 70 68 65 72 20 66 6f 6f 74 62 61 6c 6c 22 2c 22 67 6f 70 68 65 72 20 73 70 6f 72 74 73 22 2c 22 67 6f 70 20 6d 65 61 6e 69 6e 67 22 2c 22 67 6f 70 68 65 Data Ascii: 76d)]}'["gop",["gop","gopro","gopro","gopher","gopuff","gopher football","gopher sports","gop meaning","gophe
2024-10-23 13:37:19 UTC	1378	IN	Data Raw: 72 20 66 6f 6f 74 62 61 6c 6c 20 73 63 68 65 64 75 6c 65 22 2c 22 67 6f 70 6e 69 6b 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 64 65 74 61 69 6c 22 3a 5b 7b 7d 2c 7b 7d 2c 7b 22 67 6f 6f 67 6c 65 3a 65 6e 74 69 74 79 69 6e 66 6f 22 3a 22 43 67 6f 76 62 53 38 77 61 44 46 6d 5a 44 4d 77 45 68 4a 55 5a 57 4e 6f 62 6d 39 73 62 32 64 35 49 47 4e 76 62 58 42 68 62 6e 6b 79 5a 47 68 30 64 48 42 7a 4f 69 38 76 5a 57 35 6a 63 6e 6c 77 64 47 56 6b 4c 58 52 69 62 6a 41 75 5a 33 4e 30 59 58 52 70 59 79 35 6a 62 32 Data Ascii: r football schedule","gopnik"],["","","","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:suggestdetail":[{},{},{"google:entityinfo":"CgovbS8waDFmZDMwEhJUZWNobm9sb2d5IGNvbXBhbnkyZGh0dHBzOi8vZW5jcnlwdGVkLXRibjAuZ3N0YXRpYy5jb2
2024-10-23 13:37:19 UTC	418	IN	Data Raw: 55 48 70 35 58 30 6c 54 51 7a 46 54 55 30 31 32 55 45 77 77 62 45 74 36 54 57 74 43 51 55 6c 46 51 55 4e 5a 4d 48 41 48 22 7d 2c 7b 7d 2c 7b 7d 2c 7b 7d 2c 7b 7d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 72 65 6c 65 76 61 6e 63 65 22 3a 5b 31 33 30 30 2c 36 30 31 2c 36 30 30 2c 35 35 37 2c 35 35 35 2c 35 35 34 2c 35 35 33 2c 35 35 32 2c 35 35 31 2c 35 35 30 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 73 22 3a 5b 5b 35 31 32 2c 34 33 33 2c 31 33 31 5d 2c 5b 35 31 32 2c 34 33 33 2c 33 35 35 5d 2c 5b 31 39 39 2c 34 33 33 2c 34 36 35 2c 35 31 32 5d 2c 5b 35 31 32 2c 34 33 33 5d 2c 5b 35 31 32 2c 34 33 33 2c 31 39 39 2c 34 36 35 5d 2c 5b 35 31 32 2c 34 33 33 5d 2c 5b 35 31 32 2c 34 33 33 5d 2c 5b 35 31 32 5d 2c 5b 35 31 32 Data Ascii: UHp5X0lTQzFTU012UEwwbEt6TWtCQUlFQUNZMHAH"},{},{},{},{}],"google:suggestrelevance":[1300,601,600,557,555,554,553,552,551,550],"google:suggestsubtypes":[[512,433,131],[512,433,355],[199,433,465,512],[512,433],[512,433,199,465],[512,433],[512,433],[512],[512
2024-10-23 13:37:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 64x64, components 3
Category:	downloaded
Size (bytes):	1722
Entropy (8bit):	7.652227667598845
Encrypted:	false
SSDEEP:	24:rQU0PgCrlzijBTFz+9TaY8V+kP/UNXGdc5h46RNsmeVCvpejoQG4DuCk4z7I:rsoCxOB+9TaYUUAdc3V4meVapiowkSM
MD5:	DC5FE2AB83F47ED938A60FC4DB00FBCB
SHA1:	1F242917F86E305072BBBD7B527F62F927A83F81
SHA-256:	DA2B7E8394810A86420D1BC298F401A91826A8A277B2EAF39A4FE6DAF64DE1D4
SHA-512:	8CA37A1444DBDFDCC5D08B12C883CD61AA7E68657D8B4C87D9BEDD0214DF367B525F9FED623BEBA48D4CC5A5B07106462F810F1458EA0E9468E623EBAC73C2D3
Malicious:	false
Reputation:	low
URL:	https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRqk3q_bg2bz6cbsspSo91unDYhJk-tGWOSJ0t1UxznM40oxfJKOLaas_M&s=10
Preview:	......JFIF......................................... ."" ...$(4,$&1'..-=-157:::#+?D?8C49:7...........7%.%77777777777777777777777777777777777777777777777777......@.@..".......................................2......................!....1A."Qa.2q..#B....$R....................................................!.1A..............?.,m#H..$.7.. ....2=4.5.........E.....?.^..EH...SF$..Z...}n....~.......R..C..H...7...{..I..s.......DM[]U.R@....4m{X.lG.O{[\....M.9VY......:..6....~f[.:.;...A:...Zv.YM</..{......{}t.l):..../..!X....8.N+.<9 c.T......{.&1<5.].v...;......./...U.......1.s..Rl,P..l..;k5QSE.F.T.\......*........pz..t...M.y..8++(....$P...V._...{.Q..1i..M....&.F..K!S.2(..q....]..juV.kcQ................o.k.....s^...F.(...o/_Lj.<.o..%...lJ..x....s.<..2{._1.OO...ke.Y..Y\|.......'......[l..m./"B.m4q.....f!.[..b.........e.1..2...lM./a..}+.R.;E,..1#.1R.d`........mC....,x.A\|...XM.A...7....6T.1.T#dVX^LI~.l_.1..4.&!.R.._@...t.<e.d.LA.qc.p}tI....`.{.3D.....X.$v.kC....T.7_..U. .2\|...]..

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:21 UTC	661	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop-win&oit=1&cp=7&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:37:21 UTC	1266	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 13:37:21 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-qVP4KShTL21O74iGkBXScA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-23 13:37:21 UTC	112	IN	Data Raw: 32 35 63 0d 0a 29 5d 7d 27 0a 5b 22 67 6f 70 2d 77 69 6e 22 2c 5b 22 67 6f 70 77 69 6e 22 2c 22 67 6f 70 20 77 69 6e 6e 65 72 22 2c 22 67 6f 70 20 77 69 6e 6e 65 72 73 20 61 6e 64 20 6c 6f 73 65 72 73 22 2c 22 77 69 6e 64 6f 77 73 20 67 70 6f 22 2c 22 67 6f 70 20 77 69 6e 6e 65 72 20 74 61 6b 65 20 61 6c 6c 20 70 72 69 6d 61 72 69 65 Data Ascii: 25c)]}'["gop-win",["gopwin","gop winner","gop winners and losers","windows gpo","gop winner take all primarie
2024-10-23 13:37:21 UTC	499	IN	Data Raw: 73 22 2c 22 67 6f 70 20 77 69 6e 72 65 64 22 2c 22 67 6f 70 20 77 69 6e 6e 65 72 20 74 6f 6e 69 67 68 74 22 2c 22 67 6f 70 20 77 69 6e 6e 65 72 20 64 65 62 61 74 65 22 2c 22 67 70 6f 20 77 69 6e 64 6f 77 73 20 73 65 72 76 65 72 22 2c 22 68 74 74 70 3a 2f 2f 67 6f 70 77 69 6e 2e 63 6f 6d 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 70 68 69 22 3a 30 2c 22 70 72 65 22 3a 30 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 72 65 6c 65 76 61 6e 63 65 22 3a 5b 31 32 35 32 2c 36 30 31 2c 36 30 30 2c 35 35 35 2c 35 35 34 2c 35 35 33 2c 35 35 32 2c 35 35 Data Ascii: s","gop winred","gop winner tonight","gop winner debate","gpo windows server","http://gopwin.com"],["","","","","","","","","",""],[],{"google:clientdata":{"bpc":false,"phi":0,"pre":0,"tlw":false},"google:suggestrelevance":[1252,601,600,555,554,553,552,55
2024-10-23 13:37:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:21 UTC	666	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=gop-win.com&oit=3&cp=11&pgcl=4&gs_rn=42&psi=ztUIwh7Jpc-ovUcW&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:37:22 UTC	1266	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 13:37:21 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-I8dM8axZIzZ4TFHCQm8_Pw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-23 13:37:22 UTC	112	IN	Data Raw: 65 64 0d 0a 29 5d 7d 27 0a 5b 22 67 6f 70 2d 77 69 6e 2e 63 6f 6d 22 2c 5b 22 68 74 74 70 3a 2f 2f 67 6f 70 77 69 6e 2e 63 6f 6d 22 5d 2c 5b 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 70 72 65 22 3a 30 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f Data Ascii: ed)]}'["gop-win.com",["http://gopwin.com"],[""],[],{"google:clientdata":{"bpc":false,"pre":0,"tlw":false},"go
2024-10-23 13:37:22 UTC	131	IN	Data Raw: 6f 67 6c 65 3a 73 75 67 67 65 73 74 72 65 6c 65 76 61 6e 63 65 22 3a 5b 38 35 32 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 73 22 3a 5b 5b 34 34 5d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70 65 22 3a 5b 22 4e 41 56 49 47 41 54 49 4f 4e 22 5d 2c 22 67 6f 6f 67 6c 65 3a 76 65 72 62 61 74 69 6d 72 65 6c 65 76 61 6e 63 65 22 3a 38 35 31 7d 5d 0d 0a Data Ascii: ogle:suggestrelevance":[852],"google:suggestsubtypes":[[44]],"google:suggesttype":["NAVIGATION"],"google:verbatimrelevance":851}]
2024-10-23 13:37:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:22 UTC	653	OUT	GET / HTTP/1.1 Host: gop-win.co Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:37:23 UTC	220	IN	HTTP/1.1 302 Found Date: Wed, 23 Oct 2024 13:37:22 GMT Content-Length: 0 Connection: close Location: https://not-found.domain/ Engine: Rebrandly.redirect, version 2.1 Strict-Transport-Security: max-age=15552000

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:31 UTC	621	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlaHLAQiFoM0BCNy9zQEIkcrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-23 13:37:31 UTC	1266	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 13:37:31 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-IueR-lvitQ_TvJ8ZsL9Dxw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-23 13:37:31 UTC	112	IN	Data Raw: 62 64 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 74 72 61 69 6c 20 6f 66 20 74 72 65 61 74 73 20 6d 6f 6e 6f 70 6f 6c 79 20 67 6f 20 72 65 77 61 72 64 73 22 2c 22 69 6e 74 65 72 65 73 74 20 72 61 74 65 73 20 6d 6f 72 74 67 61 67 65 73 22 2c 22 62 69 6c 74 6d 6f 72 65 20 68 6f 75 73 65 20 68 75 72 72 69 63 61 6e 65 20 68 65 6c 65 6e 65 Data Ascii: bd5)]}'["",["trail of treats monopoly go rewards","interest rates mortgages","biltmore house hurricane helene
2024-10-23 13:37:31 UTC	1378	IN	Data Raw: 22 2c 22 68 6f 77 20 6d 75 63 68 20 61 72 65 20 65 70 69 63 20 75 6e 69 76 65 72 73 65 20 74 69 63 6b 65 74 73 22 2c 22 6e 62 61 20 74 6e 74 22 2c 22 73 70 61 63 65 78 20 66 61 6c 63 6f 6e 20 39 20 72 6f 63 6b 65 74 20 6c 61 75 6e 63 68 22 2c 22 61 6d 62 65 73 73 61 20 6d 65 64 61 72 64 61 20 63 68 61 6d 70 69 6f 6e 20 61 62 69 6c 69 74 69 65 73 22 2c 22 73 68 61 72 69 20 72 65 73 74 61 75 72 61 6e 74 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 Data Ascii: ","how much are epic universe tickets","nba tnt","spacex falcon 9 rocket launch","ambessa medarda champion abilities","shari restaurants"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmR
2024-10-23 13:37:31 UTC	1378	IN	Data Raw: 57 78 68 56 7a 4e 45 63 6d 4e 42 51 54 52 61 53 31 4a 53 4e 6a 6c 43 61 55 64 6a 61 46 46 69 51 6b 5a 33 4d 6c 4a 6c 4e 44 68 6b 5a 6e 6b 78 64 33 6f 32 64 57 78 57 4e 55 56 35 5a 55 39 70 4e 6e 42 75 53 33 4a 32 4e 47 6c 4b 56 54 4a 47 54 6b 73 78 52 6e 4e 44 62 47 30 79 54 6b 4a 74 54 33 64 4c 4d 6e 42 55 52 54 6c 30 52 55 39 68 54 6b 39 68 61 6c 4a 30 57 47 31 50 62 6d 31 51 56 45 4e 6b 56 32 46 56 4c 31 52 77 53 32 31 59 4d 6e 6c 45 64 55 52 31 52 6b 52 76 55 57 56 76 65 48 4d 30 4e 55 52 72 63 7a 4a 77 5a 6b 49 30 54 6d 39 70 55 44 6c 5a 62 6e 42 70 54 57 31 73 4d 44 46 76 62 32 6c 30 63 44 6c 76 56 33 56 76 4f 56 5a 4c 4c 32 31 74 51 58 70 49 54 6d 74 6f 53 56 6c 45 62 48 6c 6c 4d 6d 78 4b 53 31 4e 77 53 54 46 30 59 32 56 58 53 6b 56 36 56 30 52 55 Data Ascii: WxhVzNEcmNBQTRaS1JSNjlCaUdjaFFiQkZ3MlJlNDhkZnkxd3o2dWxWNUV5ZU9pNnBuS3J2NGlKVTJGTksxRnNDbG0yTkJtT3dLMnBURTl0RU9hTk9halJ0WG1Pbm1QVENkV2FVL1RwS21YMnlEdUR1RkRvUWVveHM0NURrczJwZkI0Tm9pUDlZbnBpTW1sMDFvb2l0cDlvV3VvOVZLL21tQXpITmtoSVlEbHllMmxKS1NwSTF0Y2VXSkV6V0RU
2024-10-23 13:37:31 UTC	168	IN	Data Raw: 4b 56 32 77 30 5a 30 5a 4b 53 6a 4a 56 55 45 56 5a 56 54 5a 30 52 57 70 61 4e 57 70 76 62 6c 52 7a 4e 30 74 56 57 6c 56 32 55 32 78 72 51 6b 6c 54 54 44 4a 43 53 6b 5a 79 5a 79 74 32 5a 47 70 4f 61 44 4e 72 65 6d 78 54 64 58 4e 44 54 6b 6c 76 4d 46 70 31 55 6d 35 6b 59 57 4a 6b 54 46 4e 7a 65 46 56 53 63 57 73 79 64 6d 4e 49 64 54 68 4e 53 31 68 48 5a 6b 52 45 54 6b 39 52 61 57 5a 49 5a 46 64 77 64 47 4a 74 56 6c 4e 47 5a 45 52 78 5a 46 42 55 52 44 56 44 56 32 6c 61 52 57 70 35 62 58 6c 76 64 0d 0a Data Ascii: KV2w0Z0ZKSjJVUEVZVTZ0RWpaNWpvblRzN0tVWlV2U2xrQklTTDJCSkZyZyt2ZGpOaDNremxTdXNDTklvMFp1Um5kYWJkTFNzeFVScWsydmNIdThNS1hHZkRETk9RaWZIZFdwdGJtVlNGZERxZFBURDVDV2laRWp5bXlvd
2024-10-23 13:37:31 UTC	90	IN	Data Raw: 35 34 0d 0a 48 6c 76 63 55 68 42 55 32 52 54 51 32 74 69 4b 30 39 31 52 6d 5a 71 4d 6c 46 56 4d 47 31 59 53 46 68 69 4e 30 4a 54 53 45 56 44 4f 58 70 73 53 6e 52 79 4e 6b 74 33 4e 45 6c 4e 4e 56 56 69 5a 31 64 4b 53 55 74 72 4e 6d 6c 79 55 6b 39 47 62 55 39 58 4d 0d 0a Data Ascii: 54HlvcUhBU2RTQ2tiK091RmZqMlFVMG1YSFhiN0JTSEVDOXpsSnRyNkt3NElNNVViZ1dKSUtrNmlyUk9GbU9XM
2024-10-23 13:37:31 UTC	1052	IN	Data Raw: 34 31 35 0d 0a 43 39 4f 55 46 42 56 56 55 70 4c 52 55 73 35 62 45 6c 30 5a 6d 4a 78 5a 47 56 31 62 6d 67 78 64 33 70 34 62 55 4a 47 56 47 78 68 53 55 4e 50 61 55 56 77 51 55 45 34 61 47 64 68 65 6b 35 54 5a 32 68 42 54 6d 64 72 51 57 56 74 62 55 78 54 57 6d 39 4b 52 6d 70 77 59 31 6c 6b 64 30 6c 46 62 57 6b 77 52 58 63 76 65 45 52 55 4d 6a 55 78 56 6d 64 34 4d 56 49 79 62 6e 52 72 4f 48 52 4d 61 6d 70 53 54 47 56 31 59 6b 31 77 53 33 4a 46 52 46 45 79 63 32 52 55 59 6e 4a 6d 51 33 70 34 53 6c 45 79 57 6d 4e 76 64 56 4a 6a 63 6b 4e 48 56 57 68 78 54 6a 4a 6c 64 32 68 42 4d 6b 46 42 64 44 46 31 59 69 74 51 57 45 55 78 55 6e 46 55 64 6a 46 78 4d 30 31 54 4b 33 52 44 65 55 4e 46 53 31 4e 79 57 6b 74 79 61 6c 51 30 51 7a 4a 4a 65 58 5a 4e 52 57 64 79 53 6c 41 Data Ascii: 415C9OUFBVVUpLRUs5bEl0ZmJxZGV1bmgxd3p4bUJGVGxhSUNPaUVwQUE4aGdhek5TZ2hBTmdrQWVtbUxTWm9KRmpwY1lkd0lFbWkwRXcveERUMjUxVmd4MVIybnRrOHRMampSTGV1Yk1wS3JFRFEyc2RUYnJmQ3p4SlEyWmNvdVJjckNHVWhxTjJld2hBMkFBdDF1YitQWEUxUnFUdjFxM01TK3RDeUNFS1NyWktyalQ0QzJJeXZNRWdySlA
2024-10-23 13:37:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:43 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xrEGEK5HvhS+lcb&MD=BpA6rrL6 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-23 13:37:43 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 834a6330-fd6e-4246-888e-13a5339e17ec MS-RequestId: f647db53-af1e-43c3-ae68-cdd20b53cfdb MS-CV: v2meuHr6jUe8mTcP.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 23 Oct 2024 13:37:42 GMT Connection: close Content-Length: 30005
2024-10-23 13:37:43 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-23 13:37:43 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:46 UTC	537	OUT	GET /ab HTTP/1.1 Host: evoke-windowsservices-tas.msedge.net Cache-Control: no-store, no-cache X-PHOTOS-CALLERID: 9NMPJ99VJBWV X-EVOKE-RING: X-WINNEXT-RING: Public X-WINNEXT-TELEMETRYLEVEL: Basic X-WINNEXT-OSVERSION: 10.0.19045.0 X-WINNEXT-APPVERSION: 1.23082.131.0 X-WINNEXT-PLATFORM: Desktop X-WINNEXT-CANTAILOR: False X-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd} X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI= If-None-Match: 2056388360_-1434155563 Accept-Encoding: gzip, deflate, br
2024-10-23 13:37:46 UTC	209	IN	HTTP/1.1 400 Bad Request X-MSEdge-Ref: Ref A: F28C8C52028E454D826707479AF42018 Ref B: DFW311000104019 Ref C: 2024-10-23T13:37:46Z Date: Wed, 23 Oct 2024 13:37:45 GMT Connection: close Content-Length: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:46 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-10-23 13:37:46 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-23 13:37:46 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 23 Oct 2024 13:36:46 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C529_BL2 x-ms-request-id: 8a91c472-9da5-4c27-8875-baadeac8d54d PPServer: PPV: 30 H: BL02EPF0001D97D V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 23 Oct 2024 13:37:46 GMT Connection: close Content-Length: 11392
2024-10-23 13:37:46 UTC	11392	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:48 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-10-23 13:37:48 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-23 13:37:48 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 23 Oct 2024 13:36:48 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C529_SN1 x-ms-request-id: 6663dda0-1ce4-4683-9595-b47053ae56c0 PPServer: PPV: 30 H: SN1PEPF0003FB4B V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 23 Oct 2024 13:37:48 GMT Connection: close Content-Length: 11392
2024-10-23 13:37:48 UTC	11392	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:49 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-10-23 13:37:49 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-23 13:37:50 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 23 Oct 2024 13:36:49 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C529_BAY x-ms-request-id: 7cf2a2a6-f1ae-4c54-8a84-3d39e6d3181c PPServer: PPV: 30 H: PH1PEPF00011CB4 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 23 Oct 2024 13:37:49 GMT Connection: close Content-Length: 11392
2024-10-23 13:37:50 UTC	11392	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:51 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4808 Host: login.live.com
2024-10-23 13:37:51 UTC	4808	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-23 13:37:51 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 23 Oct 2024 13:36:51 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C529_BAY x-ms-request-id: 5a2bffac-4000-427e-b1ab-e9a6846c9d5b PPServer: PPV: 30 H: PH1PEPF00011E57 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 23 Oct 2024 13:37:51 GMT Connection: close Content-Length: 11197
2024-10-23 13:37:51 UTC	11197	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://gop-win.co/k3I0yr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 146

Chrome Cache Entry: 147

Chrome Cache Entry: 148

Chrome Cache Entry: 149

Chrome Cache Entry: 150

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 154

Chrome Cache Entry: 155

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
https://gop-win.co/k3I0yr

Timestamp	Bytes transferred	Direction	Data
2024-10-23 13:37:52 UTC	2593	OUT	GET /client/config?cc=CH&setlang=en-CH HTTP/1.1 X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate Accept-Encoding: gzip, deflate X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-UserAgeClass: Unknown X-BM-Market: CH X-BM-DateFormat: dd/MM/yyyy X-Device-OSSKU: 48 X-BM-DTZ: -240 X-DeviceID: 01000A41090080B6 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard Time X-BM-Theme: 000000;0078d7 X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAb5G6NOO6clpDSRroKoZlJIHWd19ow0GV0DhcMtQSvsqXeExJtZ5JiwiI55yIDVq6WT1Zb8HnEtk99/LtfJHDbqZVgeBwx3Z1z6ch5c/4Fy2VCpewCQLKcViiqHxskR5Qq9NL9MkON2h0DORsC9Pe/H%2BRNfTSiqJDN9ncl%2B9RnIM2zIZHVcOy/mMUJJZ2ZGDLzek73F9ENxO6Rd794UhgTEV9P72mH%2BhzZ2IrfNmWBdNCf66M5YYhPZPZgtHyGErWTW5SrakD5/aO5%2BcPq2oZ2HX6eOMnWq4Un3qCEzq5nvxYrxmSh6j4C4BHc7IvInrA7%2Bxgu4KkjQYKIyO96Trvl8QZgAAELdrLep4nrTbUzNFC7dWScWwARWbv24pJH9dlPm2iiwtPnQHQ0iP7Wa4akZC6eCUePS0kYaP3LpeUYnk1f1YSJYX8T8nxQVrarEPBnjW%2BsDYWM0zf08q54MDcMICIpKRz%2Bvl/ZGs5%2BPJ%2BQjJKW/wn%2BuSk7%2B5TvD%2BAbzEwTrpcKIPCNB5Cd7bdp0hd%2B4NKOAvOrElyuw0X0volWP1SC6pIeYU3JTtQEhXJndyIK5Z4KrE6cUMMu69QyoNA1tAB9vg9TCcH%2B9f9iJyJ03A7QEdTO2g50MXjWy8jeoqMvbBNDfh4LFSGivxosMCvlavClVkXVmWGX48Q84nuDwvv2KoXQKDLAmYbSe0O10BpGqxWjpqa6pEMF4eL09JwEe/fsFO%2Buam6ZVi9jLeqivl4s95ZfU7%2Bsyp75lSw8fILFjTPkhWTemqdMibnaTAgB9wQOJtD3AHbIc0wSawT/T7NOtGaOLexkQKCYxxU17Cos6jItEs9eiZmAR13JBbzD7PE7IxLmE/CQcvTQtK07ui3IE%2B/5E7bsbB/xCdKjNYatIA0o7FzFGjKGuyu19kc9WQH3ZONcf [TRUNCATED] X-Agent-DeviceId: 01000A41090080B6 X-BM-CBT: 1729690663 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 X-Device-isOptin: false Accept-language: en-GB, en, en-US X-Device-Touch: false X-Device-ClientSession: 9CB8EE4BF29C4B00A5ECADD9B0898727 X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI Host: www.bing.com Connection: Keep-Alive Cookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
2024-10-23 13:37:53 UTC	1148	IN	HTTP/1.1 200 OK Content-Length: 2215 Content-Type: application/json; charset=utf-8 Cache-Control: private X-EventID: 6718fc31af2245539e5843eab302a83c X-AS-SetSessionMarket: de-ch UserAgentReductionOptOut: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0= X-XSS-Protection: 0 P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND" Date: Wed, 23 Oct 2024 13:37:53 GMT Connection: close Set-Cookie: _EDGE_S=SID=3B1383694B0161FC1EE896484A0860B8&mkt=de-ch; domain=.bing.com; path=/; HttpOnly Set-Cookie: ANON=A=84BEA1DAAAB85FA790252CDAFFFFFFFF; domain=.bing.com; expires=Mon, 17-Nov-2025 13:37:53 GMT; path=/; secure; SameSite=None Set-Cookie: WLS=C=0000000000000000&N=; domain=.bing.com; path=/; secure; SameSite=None Set-Cookie: _SS=SID=3B1383694B0161FC1EE896484A0860B8; domain=.bing.com; path=/; secure; SameSite=None Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.1ed01702.1729690673.260ed288
2024-10-23 13:37:53 UTC	2215	IN	Data Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 31 2c 22 63 6f 6e 66 69 67 22 3a 7b 22 46 65 61 74 75 72 65 43 6f 6e 66 69 67 22 3a 7b 22 53 65 61 72 63 68 42 6f 78 49 62 65 61 6d 50 6f 69 6e 74 65 72 4f 6e 48 6f 76 65 72 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 68 6f 77 53 65 61 72 63 68 47 6c 79 70 68 4c 65 66 74 4f 66 53 65 61 72 63 68 42 6f 78 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 6f 78 55 73 65 53 65 61 72 63 68 49 63 6f 6e 41 74 52 65 73 74 22 3a 7b 22 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 75 74 74 6f 6e 55 73 65 53 65 61 72 63 68 49 63 6f 6e 22 3a 7b 22 76 61 6c 75 65 Data Ascii: {"version":1,"config":{"FeatureConfig":{"SearchBoxIbeamPointerOnHover":{"value":true,"feature":""},"ShowSearchGlyphLeftOfSearchBox":{"value":true,"feature":""},"SearchBoxUseSearchIconAtRest":{"value":false,"feature":""},"SearchButtonUseSearchIcon":{"value

Target ID:	0
Start time:	09:36:54
Start date:	23/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	1
Start time:	09:36:56
Start date:	23/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,12194626097471155259,2016964568004695182,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	09:36:58
Start date:	23/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://gop-win.co/k3I0yr"
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre