Edit tour

Windows Analysis Report
https://wwwflysascomonlineclaimer.mywire.org/WELCOME/

Overview

General Information

Sample URL:	https://wwwflysascomonlineclaimer.mywire.org/WELCOME/
Analysis ID:	1543704
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

HTTP GET or POST without a user agent

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6932 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 7124 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1948,i,3504498218870267035,404441717337404294,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 828 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://wwwflysascomonlineclaimer.mywire.org/WELCOME/" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.17
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.17
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=L52tYlNcWCBCSuo&MD=EM7F1TzN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAaqyH1y%2BdNrHEZxidwVxEL2tY%2Bodude%2BlWr0yDCX0ld3dZE9MELzCctxA%2BnMG4Xn75vFOtD2CxAsS05Si%2BZiH0NW6JU9fbE6hj1iMpgc053u%2BUHT/VgJqB26WCncjYnATPphQpGUOZS9K8epFRYKSeQJ%2BB%2B%2BJ4%2BoSZSq2Qkj42/KXjWvE%2BSc/UHOkJw4JtfAFiKkbXFbEXm1uJAwxF0vXrjL1M8Vlyx9IL73WIUE3sYCPOcvqr0HDjnyr88Y0I59DE/XgMlI%2BgWyk2LxENRE%2B2yKwNobRyqSMyC8gHUK8%2BQh7aejDH%2BF0npjDFgsyu6OMkBfnQxXxB0CPjBEfxM0mBUQZgAAELIUQnmhjF8WHh3nYEnPkV%2BwARh%2BqsH5eFeRPx347dEhpsejRhhpMoORuFTx15U5ah/IV9thmRaTny%2BcbuU0mILYpZaiLsvp02Hcd5NFY1mg/Qy/OvZY6eYuXW4KA/QMd%2B6l%2BkNQlRnl%2BdrPmHS9dWnZ%2B4%2BWOd%2BN8AF8ph12yoGh%2BvL5SNBy2FbhD1RvDj9XZTNfQrwnw8hRqQbQDi4c34c47RKoM55Bm/WXZ2fPfuolLlpCvRMLEsLMJA8Dj19hzv9uHohG3OqiJ0qLKfcHOTqfgBuWlyAgn0Ut/hMEYFbN3RjbMN5oov3Juzg5iQ7g2osiw5pMf3ZqQK0sJgUbtO1nS9aAGb1oMt1kg%2BXyaZX12EwaX7h7EKrZlYE918zbny0ldQddo3i7uJSrkSUzsDEQVaMu0hMv9AIOXB4%2BS04VMmPr9k%2BiZbjr8AFf/2nSGK2uo9cHsZIWspiVdiHfi2k/FrWcHQefZy3PuoCDrdG0IAxD8So8Zl4tmGOYmAuqSs3HuqKZUdo0omvJOLHn0gtmuzvyw8JMsE1Lfm7CYcpSRknDS7BcPfwpBSz8P7GAvOhOmqri1prJ9Ejjn2l9kxvKMNoB%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1730104032User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 23F6C1D4A2EE48369D5624069564ADEEX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=L52tYlNcWCBCSuo&MD=EM7F1TzN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: wwwflysascomonlineclaimer.mywire.org
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.181:443 -> 192.168.2.17:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49714 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@22/6@20/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1948,i,3504498218870267035,404441717337404294,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://wwwflysascomonlineclaimer.mywire.org/WELCOME/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1948,i,3504498218870267035,404441717337404294,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
google.com	142.250.184.206	true	false	unknown
www.google.com	142.250.185.196	true	false	unknown
wwwflysascomonlineclaimer.mywire.org	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.185.196	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.13
192.168.2.23
192.168.2.17

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543704
Start date and time:	2024-10-28 09:25:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://wwwflysascomonlineclaimer.mywire.org/WELCOME/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@22/6@20/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, TextInputHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.67, 142.250.185.238, 173.194.76.84, 34.104.35.123, 192.229.221.95, 142.250.184.195, 142.250.184.206
Excluded domains from analysis (whitelisted): www.bing.com, clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, evoke-windowsservices-tas.msedge.net, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://wwwflysascomonlineclaimer.mywire.org/WELCOME/

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 28 07:26:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9800800767727917
Encrypted:	false
SSDEEP:	48:8xcDdA9TJf7OmHIidAKZdA1JehwiZUklqehqy+3:8xD9Nihpy
MD5:	10FB8D3129C5D70557A5EB6F6DF4D67B
SHA1:	AD410738B112CFE61E02192A1E18EB0BA68DDF8A
SHA-256:	228EA3B72CD93488A166F34500E16A865796B09BB219FA531425EA22F3D482B9
SHA-512:	7E9ECB597470DDD3CD5E6A719F0C607B7975AD6BF55B6E0A0A9A20D67AFD0229B792EB38D7F114132324DBD4C94740A12CE95FBE2E6486E2BCFF0446E2D2A76F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......Z..)......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I\YFC....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\YOC....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V\YOC....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V\YOC...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V\YQC...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........x.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 28 07:26:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.992934984585225
Encrypted:	false
SSDEEP:	48:8FcDdA9TJf7OmHIidAKZdA10eh/iZUkAQkqehZy+2:8FD9NiD9QQy
MD5:	B879EF116BCD10EEF09FF5D967AC9452
SHA1:	2FEC677538C4B28B592F0FF0C2D7B680F6037CBF
SHA-256:	D9D0A4B68B9D73586D2B758535BE580BF10C7B3101CF3B8C0B768F6306DC1B5B
SHA-512:	0C157DFC7A53E1905B1DA6B6EC8B6910235EABAE9479BAB759ABF0FAC2710A4F40D010356150B242957AE4E6CE3D40A4D7FC9FC62223CB92D5262B5844C03E66
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......N..)......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I\YFC....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\YOC....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V\YOC....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V\YOC...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V\YQC...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........x.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.0057175748557885
Encrypted:	false
SSDEEP:	48:8ecDdA9TJf7OjHIidAKZdA14tIeh7sFiZUkmgqeh7sny+BX:8eD9Ni8n1y
MD5:	A06A56CA6802B9C4489EC72DB6426EEA
SHA1:	A1DBE65FD4692B9E826224A1F4E8F8F6E15FB935
SHA-256:	1105E387C718FBA267172BE80B6434983F595FD70FB2A9BEC1AA7B4F1DD8898E
SHA-512:	D80D1BF7ACFEA905D553CB760815948E31B98811007703C6AC555C3F4C142B5BCD7FB345E60AF62D1D054F8B8655BBAE4683AAE59CBF0471D6C5A1A7F0FFB450
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I\YFC....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\YOC....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V\YOC....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V\YOC...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........x.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 28 07:26:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9934364439136907
Encrypted:	false
SSDEEP:	48:8X+cDdA9TJf7OmHIidAKZdA1behDiZUkwqehNy+R:8OD9NiQ/y
MD5:	D9E201CEBAE751B28FE6A359819C1258
SHA1:	FCB066358C913BD5434C839E089B6609C14ED0CD
SHA-256:	190FCD65320FA566EEA73718D829FADF7828CCC6D918B6377CCB2FDB17F69913
SHA-512:	7C3C62504292198EA68E9ADF78C959FCE0258473A6FF3C4618DC0B3B60B896923C138E296F64FDA1729268A41B9DBE1B2D627EB631CE069F1175FD689FEC7C9C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......F..)......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I\YFC....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\YOC....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V\YOC....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V\YOC...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V\YQC...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........x.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 28 07:26:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9824324933892847
Encrypted:	false
SSDEEP:	48:81XcDdA9TJf7OmHIidAKZdA1VehBiZUk1W1qehDy+C:8hD9Niw9jy
MD5:	7CDB349CB33C90186FCB878C851896E8
SHA1:	7C45B925698A70EE0C656B75029BCA4175B22EC4
SHA-256:	A4EAF1FFED478A3FD7D39FF9FF23EF4EE19BE7A48304CDC1363CAB55C0875FDD
SHA-512:	94A401051AA13A61DAF30EBB5E4ADD9F82F5B33BB55527656C7377CFA8E554DF35BE8C4C1DAC43D3A02C77367AF81AD81CDDD7C44255EFDB5764701B3129B97C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....{.T..)......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I\YFC....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\YOC....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V\YOC....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V\YOC...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V\YQC...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........x.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 28 07:26:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.992449876157923
Encrypted:	false
SSDEEP:	48:8EcDdA9TJf7OmHIidAKZdA1duT6ehOuTbbiZUk5OjqehOuTb1y+yT+:8ED9Ni6TTTbxWOvTb1y7T
MD5:	C8D55688F80A8020C7A845E2CCEEE445
SHA1:	9B608ADF7CC7687D1A64FC36FB6B4297AE5F5CAE
SHA-256:	D2B8AAA38FF9D656790136FA316B07B8AEF8A6776DB5BB5FA180DCD1DD30FCA1
SHA-512:	9EE084B112CA9E2F4E22BDCBF9818E82EB4DC21BAEEFE6015C37319225273B4F24B70574CDA1D54BFE896D116B21BF876BD57B76E56F3B8583DF3236500EB048
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......=..)......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I\YFC....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V\YOC....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V\YOC....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V\YOC...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V\YQC...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........x.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 09:26:28.922621012 CET	49676	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:26:28.922621012 CET	49678	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:26:35.843404055 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:35.843521118 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:35.843643904 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:35.843858957 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:35.843882084 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:36.724528074 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:36.724987030 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:36.725022078 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:36.726604939 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:36.726677895 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:36.727936029 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:36.728015900 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:36.776561975 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:36.776590109 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:36.824588060 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:39.123533010 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:39.123575926 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:39.123682022 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:39.125364065 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:39.125375986 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:39.939709902 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:39.939877987 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:39.942091942 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:39.942107916 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:39.943088055 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:39.995596886 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.006036043 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.047343016 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277014017 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277076960 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277097940 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277116060 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277127981 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.277148962 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277162075 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.277168036 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277199984 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277206898 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.277241945 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277245998 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.277890921 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.277968884 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.277976990 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.278120041 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.278177023 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.288654089 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.288675070 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:40.288688898 CET	49705	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:26:40.288695097 CET	443	49705	20.109.210.53	192.168.2.17
Oct 28, 2024 09:26:46.713418961 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:46.713608980 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:46.713718891 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:47.432337999 CET	49704	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:26:47.432384968 CET	443	49704	142.250.185.196	192.168.2.17
Oct 28, 2024 09:26:50.506103992 CET	49675	443	192.168.2.17	204.79.197.203
Oct 28, 2024 09:26:50.808703899 CET	49675	443	192.168.2.17	204.79.197.203
Oct 28, 2024 09:26:51.415304899 CET	49675	443	192.168.2.17	204.79.197.203
Oct 28, 2024 09:26:52.629686117 CET	49675	443	192.168.2.17	204.79.197.203
Oct 28, 2024 09:26:52.641879082 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:52.641916990 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:52.642019987 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:52.643095016 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:52.643116951 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.509226084 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.509304047 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.512325048 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.512347937 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.512645006 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.553670883 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.567233086 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.607338905 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.810451031 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.810525894 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.810892105 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.810945988 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.810992002 CET	49710	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.811002016 CET	443	49710	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.851047039 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.851124048 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:53.851330996 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.851897955 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:53.851916075 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:54.668131113 CET	49680	443	192.168.2.17	20.189.173.13
Oct 28, 2024 09:26:54.704472065 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:54.704673052 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:54.706013918 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:54.706022978 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:54.706377029 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:54.707575083 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:54.755342007 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:54.968729019 CET	49680	443	192.168.2.17	20.189.173.13
Oct 28, 2024 09:26:54.973602057 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:54.973745108 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:54.973835945 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:54.974807024 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:54.974829912 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:54.974865913 CET	49711	443	192.168.2.17	184.28.90.27
Oct 28, 2024 09:26:54.974874020 CET	443	49711	184.28.90.27	192.168.2.17
Oct 28, 2024 09:26:55.032725096 CET	49675	443	192.168.2.17	204.79.197.203
Oct 28, 2024 09:26:55.575848103 CET	49680	443	192.168.2.17	20.189.173.13
Oct 28, 2024 09:26:56.788712978 CET	49680	443	192.168.2.17	20.189.173.13
Oct 28, 2024 09:26:59.198810101 CET	49680	443	192.168.2.17	20.189.173.13
Oct 28, 2024 09:26:59.834728003 CET	49675	443	192.168.2.17	204.79.197.203
Oct 28, 2024 09:27:03.113955975 CET	49682	80	192.168.2.17	192.229.211.108
Oct 28, 2024 09:27:03.428761005 CET	49682	80	192.168.2.17	192.229.211.108
Oct 28, 2024 09:27:04.002830029 CET	49680	443	192.168.2.17	20.189.173.13
Oct 28, 2024 09:27:04.034836054 CET	49682	80	192.168.2.17	192.229.211.108
Oct 28, 2024 09:27:05.248786926 CET	49682	80	192.168.2.17	192.229.211.108
Oct 28, 2024 09:27:07.661773920 CET	49682	80	192.168.2.17	192.229.211.108
Oct 28, 2024 09:27:09.446785927 CET	49675	443	192.168.2.17	204.79.197.203
Oct 28, 2024 09:27:12.461821079 CET	49682	80	192.168.2.17	192.229.211.108
Oct 28, 2024 09:27:13.613781929 CET	49680	443	192.168.2.17	20.189.173.13
Oct 28, 2024 09:27:13.621004105 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:13.626270056 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.750996113 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.751197100 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:13.754317999 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:13.754391909 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:13.754544020 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:13.754590034 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:13.754753113 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:13.759807110 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.759932041 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.759938002 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.759949923 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.760006905 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.760011911 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.805099964 CET	49699	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:27:13.805167913 CET	49699	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:27:13.810487032 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:13.810549021 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:13.810555935 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:13.810676098 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:13.810682058 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:13.883275032 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.883368015 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:13.916675091 CET	443	49690	204.79.197.200	192.168.2.17
Oct 28, 2024 09:27:13.916805983 CET	49690	443	192.168.2.17	204.79.197.200
Oct 28, 2024 09:27:14.163144112 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163156033 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163172960 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163223028 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163333893 CET	49699	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:27:14.163362980 CET	49699	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:27:14.163539886 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163703918 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163712025 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163722038 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163744926 CET	49699	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:27:14.163748980 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.163764000 CET	49699	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:27:14.164680004 CET	443	49699	20.190.160.17	192.168.2.17
Oct 28, 2024 09:27:14.164755106 CET	49699	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:27:14.215245962 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:14.215284109 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:14.215383053 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:14.217606068 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:14.217618942 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:14.247203112 CET	49713	443	192.168.2.17	13.107.5.88
Oct 28, 2024 09:27:14.247247934 CET	443	49713	13.107.5.88	192.168.2.17
Oct 28, 2024 09:27:14.247354984 CET	49713	443	192.168.2.17	13.107.5.88
Oct 28, 2024 09:27:14.277885914 CET	49713	443	192.168.2.17	13.107.5.88
Oct 28, 2024 09:27:14.277914047 CET	443	49713	13.107.5.88	192.168.2.17
Oct 28, 2024 09:27:15.028801918 CET	443	49713	13.107.5.88	192.168.2.17
Oct 28, 2024 09:27:15.028882980 CET	49713	443	192.168.2.17	13.107.5.88
Oct 28, 2024 09:27:15.032164097 CET	49713	443	192.168.2.17	13.107.5.88
Oct 28, 2024 09:27:15.032177925 CET	443	49713	13.107.5.88	192.168.2.17
Oct 28, 2024 09:27:15.032685041 CET	443	49713	13.107.5.88	192.168.2.17
Oct 28, 2024 09:27:15.073128939 CET	49713	443	192.168.2.17	13.107.5.88
Oct 28, 2024 09:27:15.082057953 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.082128048 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.115329027 CET	443	49713	13.107.5.88	192.168.2.17
Oct 28, 2024 09:27:15.128878117 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.128890991 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.129220009 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.129277945 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.131196022 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.131230116 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.199599981 CET	443	49713	13.107.5.88	192.168.2.17
Oct 28, 2024 09:27:15.201020002 CET	443	49713	13.107.5.88	192.168.2.17
Oct 28, 2024 09:27:15.201085091 CET	49713	443	192.168.2.17	13.107.5.88
Oct 28, 2024 09:27:15.203095913 CET	49713	443	192.168.2.17	13.107.5.88
Oct 28, 2024 09:27:15.421009064 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.421061993 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.421073914 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.421089888 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.421153069 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.421153069 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.421494961 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.421533108 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.421559095 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.421605110 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.423851013 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.423875093 CET	443	49712	2.23.209.181	192.168.2.17
Oct 28, 2024 09:27:15.423907995 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:15.423919916 CET	49712	443	192.168.2.17	2.23.209.181
Oct 28, 2024 09:27:16.685650110 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:16.685715914 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:16.685846090 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:16.686201096 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:16.686233044 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.584448099 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.584646940 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.587599993 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.587613106 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.587928057 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.591600895 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.639338017 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.745960951 CET	49696	80	192.168.2.17	88.221.110.91
Oct 28, 2024 09:27:17.753583908 CET	80	49696	88.221.110.91	192.168.2.17
Oct 28, 2024 09:27:17.753819942 CET	49696	80	192.168.2.17	88.221.110.91
Oct 28, 2024 09:27:17.854655981 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.854686975 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.854702950 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.854836941 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.854866028 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.854984045 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.856038094 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.856082916 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.856126070 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.856137037 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.856168985 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.856863976 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.857389927 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.857391119 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.857418060 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:17.857450962 CET	49714	443	192.168.2.17	20.109.210.53
Oct 28, 2024 09:27:17.857459068 CET	443	49714	20.109.210.53	192.168.2.17
Oct 28, 2024 09:27:22.066838026 CET	49682	80	192.168.2.17	192.229.211.108
Oct 28, 2024 09:27:35.898266077 CET	49716	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:27:35.898297071 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:27:35.898472071 CET	49716	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:27:35.898840904 CET	49716	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:27:35.898850918 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:27:36.751569033 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:27:36.752131939 CET	49716	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:27:36.752145052 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:27:36.752520084 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:27:36.752839088 CET	49716	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:27:36.752892017 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:27:36.808012962 CET	49716	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:27:46.749979019 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:27:46.750063896 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:27:46.750202894 CET	49716	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:27:47.428478956 CET	49716	443	192.168.2.17	142.250.185.196
Oct 28, 2024 09:27:47.428514004 CET	443	49716	142.250.185.196	192.168.2.17
Oct 28, 2024 09:28:07.682142973 CET	49697	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:28:07.688107967 CET	443	49697	20.190.160.17	192.168.2.17
Oct 28, 2024 09:28:07.688241959 CET	49697	443	192.168.2.17	20.190.160.17
Oct 28, 2024 09:28:35.964956045 CET	49718	443	192.168.2.17	142.250.185.132
Oct 28, 2024 09:28:35.965004921 CET	443	49718	142.250.185.132	192.168.2.17
Oct 28, 2024 09:28:35.965101957 CET	49718	443	192.168.2.17	142.250.185.132
Oct 28, 2024 09:28:35.965446949 CET	49718	443	192.168.2.17	142.250.185.132
Oct 28, 2024 09:28:35.965459108 CET	443	49718	142.250.185.132	192.168.2.17
Oct 28, 2024 09:28:36.837335110 CET	443	49718	142.250.185.132	192.168.2.17
Oct 28, 2024 09:28:36.881005049 CET	49718	443	192.168.2.17	142.250.185.132

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 09:26:31.054387093 CET	53	52566	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:31.245156050 CET	53	49350	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:31.872112036 CET	57497	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:31.872363091 CET	55265	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:32.018935919 CET	53	57497	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:32.036324978 CET	53	55265	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:32.037374020 CET	54057	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:32.189712048 CET	53	54057	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:32.221170902 CET	64313	53	192.168.2.17	8.8.8.8
Oct 28, 2024 09:26:32.222027063 CET	52405	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:32.228771925 CET	53	64313	8.8.8.8	192.168.2.17
Oct 28, 2024 09:26:32.229376078 CET	53	52405	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:32.514702082 CET	53	53819	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:33.237591028 CET	57059	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:33.237899065 CET	64679	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:33.360172987 CET	53	64679	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:33.385442972 CET	53	57059	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:35.834575891 CET	65225	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:35.834750891 CET	56777	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:35.841945887 CET	53	65225	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:35.842519045 CET	53	56777	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:38.409475088 CET	59093	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:38.409754992 CET	61726	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:38.556162119 CET	53	59093	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:38.573880911 CET	53	61726	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:38.574667931 CET	63963	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:26:38.721251965 CET	53	63963	1.1.1.1	192.168.2.17
Oct 28, 2024 09:26:49.429086924 CET	53	55923	1.1.1.1	192.168.2.17
Oct 28, 2024 09:27:08.214415073 CET	53	65501	1.1.1.1	192.168.2.17
Oct 28, 2024 09:27:08.737123966 CET	65270	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:27:08.737306118 CET	59221	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:27:09.037122965 CET	53	65270	1.1.1.1	192.168.2.17
Oct 28, 2024 09:27:09.039299011 CET	53	59221	1.1.1.1	192.168.2.17
Oct 28, 2024 09:27:09.040030956 CET	51732	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:27:09.048996925 CET	53	51732	1.1.1.1	192.168.2.17
Oct 28, 2024 09:27:31.047360897 CET	53	53141	1.1.1.1	192.168.2.17
Oct 28, 2024 09:27:31.284792900 CET	53	65296	1.1.1.1	192.168.2.17
Oct 28, 2024 09:27:51.887605906 CET	138	138	192.168.2.17	192.168.2.255
Oct 28, 2024 09:28:00.630356073 CET	53	49988	1.1.1.1	192.168.2.17
Oct 28, 2024 09:28:09.064980030 CET	54266	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:28:09.065164089 CET	64945	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:28:09.072793961 CET	53	54266	1.1.1.1	192.168.2.17
Oct 28, 2024 09:28:09.090610981 CET	51080	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:28:09.187355042 CET	53	64945	1.1.1.1	192.168.2.17
Oct 28, 2024 09:28:09.236794949 CET	53	51080	1.1.1.1	192.168.2.17
Oct 28, 2024 09:28:35.955996990 CET	50636	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:28:35.956171989 CET	54538	53	192.168.2.17	1.1.1.1
Oct 28, 2024 09:28:35.963572979 CET	53	50636	1.1.1.1	192.168.2.17
Oct 28, 2024 09:28:35.964066029 CET	53	54538	1.1.1.1	192.168.2.17

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 28, 2024 09:28:09.187446117 CET	192.168.2.17	1.1.1.1	c245	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 09:26:31.872112036 CET	192.168.2.17	1.1.1.1	0xae09	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:31.872363091 CET	192.168.2.17	1.1.1.1	0x55a9	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	65	IN (0x0001)	false
Oct 28, 2024 09:26:32.037374020 CET	192.168.2.17	1.1.1.1	0x6aa0	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:32.221170902 CET	192.168.2.17	8.8.8.8	0x759	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:32.222027063 CET	192.168.2.17	1.1.1.1	0xe344	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:33.237591028 CET	192.168.2.17	1.1.1.1	0xa3f8	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:33.237899065 CET	192.168.2.17	1.1.1.1	0xbb3d	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	65	IN (0x0001)	false
Oct 28, 2024 09:26:35.834575891 CET	192.168.2.17	1.1.1.1	0xb359	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:35.834750891 CET	192.168.2.17	1.1.1.1	0x9809	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 28, 2024 09:26:38.409475088 CET	192.168.2.17	1.1.1.1	0x1409	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:38.409754992 CET	192.168.2.17	1.1.1.1	0x87eb	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	65	IN (0x0001)	false
Oct 28, 2024 09:26:38.574667931 CET	192.168.2.17	1.1.1.1	0x2ce4	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:27:08.737123966 CET	192.168.2.17	1.1.1.1	0xb6af	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:27:08.737306118 CET	192.168.2.17	1.1.1.1	0x9287	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	65	IN (0x0001)	false
Oct 28, 2024 09:27:09.040030956 CET	192.168.2.17	1.1.1.1	0xe949	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:28:09.064980030 CET	192.168.2.17	1.1.1.1	0xa6e1	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:28:09.065164089 CET	192.168.2.17	1.1.1.1	0x8e70	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	65	IN (0x0001)	false
Oct 28, 2024 09:28:09.090610981 CET	192.168.2.17	1.1.1.1	0x7834	Standard query (0)	wwwflysascomonlineclaimer.mywire.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:28:35.955996990 CET	192.168.2.17	1.1.1.1	0x5121	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:28:35.956171989 CET	192.168.2.17	1.1.1.1	0xdc5f	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 09:26:32.018935919 CET	1.1.1.1	192.168.2.17	0xae09	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:32.036324978 CET	1.1.1.1	192.168.2.17	0x55a9	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	65	IN (0x0001)	false
Oct 28, 2024 09:26:32.189712048 CET	1.1.1.1	192.168.2.17	0x6aa0	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:32.228771925 CET	8.8.8.8	192.168.2.17	0x759	No error (0)	google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:32.229376078 CET	1.1.1.1	192.168.2.17	0xe344	No error (0)	google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:33.360172987 CET	1.1.1.1	192.168.2.17	0xbb3d	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	65	IN (0x0001)	false
Oct 28, 2024 09:26:33.385442972 CET	1.1.1.1	192.168.2.17	0xa3f8	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:35.841945887 CET	1.1.1.1	192.168.2.17	0xb359	No error (0)	www.google.com		142.250.185.196	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:35.842519045 CET	1.1.1.1	192.168.2.17	0x9809	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 28, 2024 09:26:38.556162119 CET	1.1.1.1	192.168.2.17	0x1409	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:26:38.573880911 CET	1.1.1.1	192.168.2.17	0x87eb	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	65	IN (0x0001)	false
Oct 28, 2024 09:26:38.721251965 CET	1.1.1.1	192.168.2.17	0x2ce4	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:27:09.037122965 CET	1.1.1.1	192.168.2.17	0xb6af	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:27:09.039299011 CET	1.1.1.1	192.168.2.17	0x9287	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	65	IN (0x0001)	false
Oct 28, 2024 09:27:09.048996925 CET	1.1.1.1	192.168.2.17	0xe949	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:28:09.072793961 CET	1.1.1.1	192.168.2.17	0xa6e1	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:28:09.187355042 CET	1.1.1.1	192.168.2.17	0x8e70	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	65	IN (0x0001)	false
Oct 28, 2024 09:28:09.236794949 CET	1.1.1.1	192.168.2.17	0x7834	Name error (3)	wwwflysascomonlineclaimer.mywire.org	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:28:35.963572979 CET	1.1.1.1	192.168.2.17	0x5121	No error (0)	www.google.com		142.250.185.132	A (IP address)	IN (0x0001)	false
Oct 28, 2024 09:28:35.964066029 CET	1.1.1.1	192.168.2.17	0xdc5f	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

fs.microsoft.com

evoke-windowsservices-tas.msedge.net

www.bing.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.17	49705	20.109.210.53	443

Timestamp	Bytes transferred	Direction	Data
2024-10-28 08:26:40 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=L52tYlNcWCBCSuo&MD=EM7F1TzN HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-28 08:26:40 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: c222a0a4-7285-4c6e-9b56-b62e5054e8ab MS-RequestId: 021fb922-0edd-4fc7-89ce-3e4c993ee370 MS-CV: 7mxREmlK/UW/l7e4.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 28 Oct 2024 08:26:39 GMT Connection: close Content-Length: 24490
2024-10-28 08:26:40 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-28 08:26:40 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.17	49710	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-28 08:26:53 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-28 08:26:53 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=188875 Date: Mon, 28 Oct 2024 08:26:53 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.17	49711	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-28 08:26:54 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-28 08:26:54 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=188928 Date: Mon, 28 Oct 2024 08:26:54 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-28 08:26:54 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.17	49713	13.107.5.88	443

Timestamp	Bytes transferred	Direction	Data
2024-10-28 08:27:15 UTC	537	OUT	GET /ab HTTP/1.1 Host: evoke-windowsservices-tas.msedge.net Cache-Control: no-store, no-cache X-PHOTOS-CALLERID: 9NMPJ99VJBWV X-EVOKE-RING: X-WINNEXT-RING: Public X-WINNEXT-TELEMETRYLEVEL: Basic X-WINNEXT-OSVERSION: 10.0.19045.0 X-WINNEXT-APPVERSION: 1.23082.131.0 X-WINNEXT-PLATFORM: Desktop X-WINNEXT-CANTAILOR: False X-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd} X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI= If-None-Match: 2056388360_-1434155563 Accept-Encoding: gzip, deflate, br
2024-10-28 08:27:15 UTC	209	IN	HTTP/1.1 400 Bad Request X-MSEdge-Ref: Ref A: 260AEFC4297E4812A125EB4563F9378B Ref B: DFW311000107019 Ref C: 2024-10-28T08:27:15Z Date: Mon, 28 Oct 2024 08:27:14 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.17	49712	2.23.209.181	443

Timestamp	Bytes transferred	Direction	Data
2024-10-28 08:27:15 UTC	2613	OUT	GET /client/config?cc=CH&setlang=en-CH HTTP/1.1 X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate Accept-Encoding: gzip, deflate X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-UserAgeClass: Unknown X-BM-Market: CH X-BM-DateFormat: dd/MM/yyyy X-Device-OSSKU: 48 X-BM-DTZ: -240 X-DeviceID: 01000A41090080B6 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard Time X-BM-Theme: 000000;0078d7 X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAaqyH1y%2BdNrHEZxidwVxEL2tY%2Bodude%2BlWr0yDCX0ld3dZE9MELzCctxA%2BnMG4Xn75vFOtD2CxAsS05Si%2BZiH0NW6JU9fbE6hj1iMpgc053u%2BUHT/VgJqB26WCncjYnATPphQpGUOZS9K8epFRYKSeQJ%2BB%2B%2BJ4%2BoSZSq2Qkj42/KXjWvE%2BSc/UHOkJw4JtfAFiKkbXFbEXm1uJAwxF0vXrjL1M8Vlyx9IL73WIUE3sYCPOcvqr0HDjnyr88Y0I59DE/XgMlI%2BgWyk2LxENRE%2B2yKwNobRyqSMyC8gHUK8%2BQh7aejDH%2BF0npjDFgsyu6OMkBfnQxXxB0CPjBEfxM0mBUQZgAAELIUQnmhjF8WHh3nYEnPkV%2BwARh%2BqsH5eFeRPx347dEhpsejRhhpMoORuFTx15U5ah/IV9thmRaTny%2BcbuU0mILYpZaiLsvp02Hcd5NFY1mg/Qy/OvZY6eYuXW4KA/QMd%2B6l%2BkNQlRnl%2BdrPmHS9dWnZ%2B4%2BWOd%2BN8AF8ph12yoGh%2BvL5SNBy2FbhD1RvDj9XZTNfQrwnw8hRqQbQDi4c34c47RKoM55Bm/WXZ2fPfuolLlpCvRMLEsLMJA8Dj19hzv9uHohG3OqiJ0qLKfcHOTqfgBuWlyAgn0Ut/hMEYFbN3RjbMN5oov3Juzg5iQ7g2osiw5pMf3ZqQK0sJgUbtO1nS9aAGb1oMt1kg%2BXyaZX12EwaX7h7EKrZlYE918zbny0ldQddo3i7uJSrkSUzsDEQVaMu0hMv9AIOXB4%2BS04VMmPr9k%2BiZbjr8AFf/2nSGK2uo9cHsZIWspiVdiHfi2k/FrWcHQefZy3PuoCDrdG0IAxD8So8Zl4tmGOYmAuqSs3HuqKZUdo0omvJOLHn0gtmuzvyw8JMsE1Lfm7CYcpSR [TRUNCATED] X-Agent-DeviceId: 01000A41090080B6 X-BM-CBT: 1730104032 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 X-Device-isOptin: false Accept-language: en-GB, en, en-US X-Device-Touch: false X-Device-ClientSession: 23F6C1D4A2EE48369D5624069564ADEE X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI Host: www.bing.com Connection: Keep-Alive Cookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
2024-10-28 08:27:15 UTC	1147	IN	HTTP/1.1 200 OK Content-Length: 2215 Content-Type: application/json; charset=utf-8 Cache-Control: private X-EventID: 671f4ae31b9f4d34bcde66fc730d0b33 X-AS-SetSessionMarket: de-ch UserAgentReductionOptOut: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0= X-XSS-Protection: 0 P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND" Date: Mon, 28 Oct 2024 08:27:15 GMT Connection: close Set-Cookie: _EDGE_S=SID=2231E5A280DD62520686F08481A56329&mkt=de-ch; domain=.bing.com; path=/; HttpOnly Set-Cookie: ANON=A=84BEA1DAAAB85FA790252CDAFFFFFFFF; domain=.bing.com; expires=Sat, 22-Nov-2025 08:27:15 GMT; path=/; secure; SameSite=None Set-Cookie: WLS=C=0000000000000000&N=; domain=.bing.com; path=/; secure; SameSite=None Set-Cookie: _SS=SID=2231E5A280DD62520686F08481A56329; domain=.bing.com; path=/; secure; SameSite=None Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.40d01702.1730104035.b31ea4a
2024-10-28 08:27:15 UTC	2215	IN	Data Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 31 2c 22 63 6f 6e 66 69 67 22 3a 7b 22 46 65 61 74 75 72 65 43 6f 6e 66 69 67 22 3a 7b 22 53 65 61 72 63 68 42 6f 78 49 62 65 61 6d 50 6f 69 6e 74 65 72 4f 6e 48 6f 76 65 72 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 68 6f 77 53 65 61 72 63 68 47 6c 79 70 68 4c 65 66 74 4f 66 53 65 61 72 63 68 42 6f 78 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 6f 78 55 73 65 53 65 61 72 63 68 49 63 6f 6e 41 74 52 65 73 74 22 3a 7b 22 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 75 74 74 6f 6e 55 73 65 53 65 61 72 63 68 49 63 6f 6e 22 3a 7b 22 76 61 6c 75 65 Data Ascii: {"version":1,"config":{"FeatureConfig":{"SearchBoxIbeamPointerOnHover":{"value":true,"feature":""},"ShowSearchGlyphLeftOfSearchBox":{"value":true,"feature":""},"SearchBoxUseSearchIconAtRest":{"value":false,"feature":""},"SearchButtonUseSearchIcon":{"value

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.17	49714	20.109.210.53	443

Timestamp	Bytes transferred	Direction	Data
2024-10-28 08:27:17 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=L52tYlNcWCBCSuo&MD=EM7F1TzN HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-28 08:27:17 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: f1e861d9-5dcb-4202-9ca4-9b0c1a444a18 MS-RequestId: b2120365-7e57-4fe2-901b-492b00d0cb9b MS-CV: 64aJdWOy3U2/PHn0.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 28 Oct 2024 08:27:17 GMT Connection: close Content-Length: 30005
2024-10-28 08:27:17 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-28 08:27:17 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	04:26:29
Start date:	28/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	04:26:30
Start date:	28/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1948,i,3504498218870267035,404441717337404294,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:26:31
Start date:	28/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://wwwflysascomonlineclaimer.mywire.org/WELCOME/"
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://wwwflysascomonlineclaimer.mywire.org/WELCOME/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6932, Parent PID: 3820

General

Chronological Activities

Analysis Process: chrome.exePID: 7124, Parent PID: 6932

General

Chronological Activities

Analysis Process: chrome.exePID: 828, Parent PID: 3820

General

Chronological Activities

Disassembly

Windows Analysis Report
https://wwwflysascomonlineclaimer.mywire.org/WELCOME/