Edit tour

Windows Analysis Report
Axens_Jechan.lee.docx

Overview

General Information

Sample name:	Axens_Jechan.lee.docx
Analysis ID:	1618867
MD5:	5321c402a0a880ab7774c798c0788ca8
SHA1:	26864ca76f748cd7d3c49d65c6cfb948d33e1fa9
SHA256:	f4551296f943a4a07f178e70d4e2cb24eff452ce5d189485d8c9b010e3c5a222
Infos:

Detection

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected landing page (webpage, office document or email)

AI detected suspicious URL

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

WINWORD.EXE (PID: 6900 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\Axens_Jechan.lee.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

chrome.exe (PID: 1092 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://studiotokyo.com.br/box/fkfjkfjf/amVjaGFuLmxlZUBheGVucy5uZXQ=%25E3%2580%2582 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6516 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2068,i,2146915433265339391,3391795401891623885,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Suricata Signatures

ETPRO PHISHING JS/PsyduckPockeball Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T08:57:07.980546+0100	2857090	1	Successful Credential Theft Detected	165.22.92.18	443	192.168.2.17	49719	TCP

Joe Sandbox Signatures

• Phishing
• Networking
• System Summary
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: Office document	Joe Sandbox AI: Office document contains QR code
Source: https://micrsofts-outook-microsoft-0utlook.saptechsolution.com/?mm=amVjaGFuLmxlZUBheGVucy5uZXQ=%C3%A3%C2%80%C2%82	Joe Sandbox AI: Page contains button: 'CONFIRM' Source: '2.1.pages.csv'
Source: Screenshot id: 2	Joe Sandbox AI: Screenshot id: 2 contains QR code

AI detected suspicious URL

Source: https://micrsofts-outook-microsoft-0utlook.saptechsolution.com

Joe Sandbox AI: The URL 'https://micrsofts-outook-microsoft-0utlook.saptechsolution.com' exhibits several characteristics indicative of typosquatting. The brand 'Microsoft Outlook' is globally recognized, and the legitimate URL is 'https://outlook.live.com'. The analyzed URL uses visual character substitutions such as 'micrsofts' instead of 'microsoft' and '0utlook' with a zero instead of 'outlook'. Additionally, the structure of the URL includes multiple misleading elements: 'micrsofts', 'outook', and '0utlook', which are all close misspellings of 'Microsoft' and 'Outlook'. The use of a subdomain 'saptechsolution.com' does not suggest a legitimate purpose related to Microsoft Outlook, increasing the likelihood of user confusion. The combination of these factors results in a high similarity score of 8 and a spoofed likelihood score of 9, indicating a strong possibility of typosquatting.

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2857090 - Severity 1 - ETPRO PHISHING JS/PsyduckPockeball Payload Inbound : 165.22.92.18:443 -> 192.168.2.17:49719

Source: global traffic

TCP traffic: 192.168.2.17:62815 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 191.252.141.106 191.252.141.106
Source: Joe Sandbox View	IP Address: 191.252.141.106 191.252.141.106

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /box/fkfjkfjf/amVjaGFuLmxlZUBheGVucy5uZXQ=%25E3%2580%2582 HTTP/1.1Host: studiotokyo.com.brConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?mm=amVjaGFuLmxlZUBheGVucy5uZXQ=%C3%A3%C2%80%C2%82 HTTP/1.1Host: micrsofts-outook-microsoft-0utlook.saptechsolution.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://studiotokyo.com.br/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: studiotokyo.com.br
Source: global traffic	DNS traffic detected: DNS query: micrsofts-outook-microsoft-0utlook.saptechsolution.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: chromecache_79.6.dr

String found in binary or memory: https://microsodt-office-office.perfitassi.com.br/?vcES=nVt6Go

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63069
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: classification engine

Classification label: mal56.winDOCX@17/9@6/5

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ens_Jechan.lee.docx

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{1901E938-4865-49A1-A7DA-7E4DB9D75F0C} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\Axens_Jechan.lee.docx" /o ""
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://studiotokyo.com.br/box/fkfjkfjf/amVjaGFuLmxlZUBheGVucy5uZXQ=%25E3%2580%2582
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2068,i,2146915433265339391,3391795401891623885,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2068,i,2146915433265339391,3391795401891623885,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Axens_Jechan.lee.docx	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://microsodt-office-office.perfitassi.com.br/?vcES=nVt6Go	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
studiotokyo.com.br	191.252.141.106	true	false	high
micrsofts-outook-microsoft-0utlook.saptechsolution.com	165.22.92.18	true	false	high
www.google.com	142.250.186.164	true	false	high
s-0005.dual-s-msedge.net	52.123.128.14	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://studiotokyo.com.br/box/fkfjkfjf/amVjaGFuLmxlZUBheGVucy5uZXQ=%25E3%2580%2582	false		unknown
https://micrsofts-outook-microsoft-0utlook.saptechsolution.com/?mm=amVjaGFuLmxlZUBheGVucy5uZXQ=%C3%A3%C2%80%C2%82	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://microsodt-office-office.perfitassi.com.br/?vcES=nVt6Go	chromecache_79.6.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
165.22.92.18	micrsofts-outook-microsoft-0utlook.saptechsolution.com	United States	14061	DIGITALOCEAN-ASNUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false
191.252.141.106	studiotokyo.com.br	Brazil	27715	LocawebServicosdeInternetSABR	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1618867
Start date and time:	2025-02-19 08:56:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Axens_Jechan.lee.docx
Detection:	MAL
Classification:	mal56.winDOCX@17/9@6/5
Cookbook Comments:	Found application associated with file extension: .docx

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, TextInputHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.76.243, 2.19.106.160, 199.232.210.172, 52.111.236.35, 52.111.236.33, 52.111.236.34, 52.111.236.32, 142.250.185.131, 216.58.206.78, 173.194.76.84, 142.250.185.206, 142.250.181.238, 20.42.73.26, 2.23.77.188, 95.101.182.98, 95.101.182.66, 216.58.206.46, 172.217.18.14, 172.217.23.110, 142.250.185.110, 142.250.186.174, 142.250.186.131, 172.217.18.110, 142.250.186.142, 142.250.184.238, 52.123.128.14, 20.190.160.17, 4.175.87.197, 13.107.246.61, 13.107.5.88, 2.19.122.26
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, clientservices.googleapis.com, weu-azsc-config.officeapps.live.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, neu-azsc-000.roaming.officeapps.live.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, login.live.com, e16604.g.akamaiedge.net, onedscolprdeus09.eastus.cloudapp.azure.com, update.googleapis.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, www.bing.com, clients1.google.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, accounts.google.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguagee
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Source	URL
Screenshot	https://studiotokyo.com.br/box/fkfjkfjf/amVjaGFuLmxlZUBheGVucy5uZXQ=%25E3%2580%2582

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	http://elcharrousa.com	Get hash	malicious	Unknown	Browse
	https://ddei5-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fapp.keila.io%2fforms%2fnfrm%5fzLV2d53K&umid=B9EF3FE5-2E6C-5706-A456-2B194E006165&auth=3412ced9ac9ff58968b2314c21ea887911633a2e-2558529aa7f626e5f3c4b60ccff9baebff109cd8	Get hash	malicious	Unknown	Browse
	8tlRyRNJXL.lnk	Get hash	malicious	MalLnk	Browse
	http://google.com/url?q=https://www.google.com/url?q%3Dhttps://www.google.com/url?q%253Dhttps://www.google.com/url?q%25253Damp/jiston.store/new/auth/u17dwe41g0r18cv44gdrbngc/dmljdGltQGV4YW1wbGUuY29t	Get hash	malicious	Unknown	Browse
	http://login.live	Get hash	malicious	Unknown	Browse
	https://micrsofts-outook-microsoft-0utlook.saptechsolution.com/?mm=YXJpZi5kYXVkQGJ1bWlhcm1hZGEuY29t%C3%A3%C2%80%C2%82	Get hash	malicious	HTMLPhisher	Browse
	NlHybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer, XWorm	Browse
	https://uxdtechx.com/images/myoffice/office365	Get hash	malicious	Unknown	Browse
	http://www.asphaltprofessionals.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	https://rnicrosoft-secured-office.squarespace.com/sharepointcoc?e=bob_smith@gmail.com	Get hash	malicious	HTMLPhisher	Browse
165.22.92.18	https://micrsofts-outook-microsoft-0utlook.saptechsolution.com/?mm=YXJpZi5kYXVkQGJ1bWlhcm1hZGEuY29t%C3%A3%C2%80%C2%82	Get hash	malicious	HTMLPhisher	Browse
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse
191.252.141.106	https://za.zalo.me/v3/verifyv2/pv6qyc?token=OcNsmjfpL0XY2F3BtHzNRs4A-hhQ5q5sPXtbk3O&continue=ANToniopneus.com.br/dayo/epfsr/captcha/U2FyYWguU2VsYnlAdWtyaS5vcmc=$%E3%80%82	Get hash	malicious	HTMLPhisher	Browse	antoniopneus.com.br/favicon.ico
	https://vk.com/away.php?to=https://tracker.club-os.com///////campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398%26test=false%26target=neoparts.com.br/gben/mo1n/anB1cmR1bUBvcC1mLm9yZw==$	Get hash	malicious	Fake Captcha	Browse	neoparts.com.br/favicon.ico
	http://neoparts.com.br./driz/oybe/am9sZW5lLmJ1cm5zQHNlY3VydXN0ZWNobm9sb2dpZXMuY29t$?utp=consumer&	Get hash	malicious	HTMLPhisher	Browse	neoparts.com.br./favicon.ico
	https://urldefense.com/v3/__https://adclick.g.doubleclick.net/pcs/click?b2tuY41515N2435yMX419snVO7695-2024-McWAN324SCAN&&adurl=Atracker.club-os.comCcampaignclick8ymfqmsgId=d738c6bd137e6a03157c6c728cbc659e734fc39826test=false26target=neopartsBcomBbr2Fdodo2Fes8qj2F*2FamxpbjJAbW9vZy5jb20=$__;Ly8vLy8vLy8_JSXjgILjgIIlJSUl!!EhqYCQ!fXdc6vQjcCJOoS8BYlNUvv3DEx-Bdjf9gHdJcCKMrE6GO7o-8hvti7bNgb9cqWsZW4YBRttxc-7pog$	Get hash	malicious	Unknown	Browse	www.neoparts.com.br/wp-includes/js/wp-emoji-release.min.js?ver=6.4.4
	https://tracker.club-os.com////campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=neoparts%25E3%2580%2582com%25E3%2580%2582br%2Fdodo%2F5NUMBER%2F%2FbHVjeUBjYXBlbGxhc3BhY2UuY29t$&	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	neoparts.com.br/favicon.ico
	https://m.exactag.com/ai.aspx?tc=d9069342bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Aneoparts.com.br/dodo/03330%2F%2FZXVuaWNlLmJyYW5jb0BiYW5jb2Jlc3QucHQ=$	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	neoparts.com.br/favicon.ico
	https://m.exactag.com/ai.aspx?tc=d9069342bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Aneoparts.com.br/dodo/03330%2F%2FZXVuaWNlLmJyYW5jb0BiYW5jb2Jlc3QucHQ=$	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	neoparts.com.br/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
micrsofts-outook-microsoft-0utlook.saptechsolution.com	https://micrsofts-outook-microsoft-0utlook.saptechsolution.com/?mm=YXJpZi5kYXVkQGJ1bWlhcm1hZGEuY29t%C3%A3%C2%80%C2%82	Get hash	malicious	HTMLPhisher	Browse	165.22.92.18
s-0005.dual-s-msedge.net	Quote US7756424AA.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Quote US7756424AA.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14
	Order 5500ZZAA5546.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14
	Invoice.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Order 5500ZZAA5546.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Invoice.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	Order 5500ZZAA5546.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14
	Invoice.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	email (31).eml	Get hash	malicious	Unknown	Browse	52.123.129.14
	phish_alert_sp2_2.0.0.0 (14).eml	Get hash	malicious	Unknown	Browse	52.123.129.14
studiotokyo.com.br	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LocawebServicosdeInternetSABR	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106
	Roel.waeijen Open annual.pdf	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106
	Michael.langedijk Vacations and salaries.pdf	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106
	Vanessa.fevre Open annual.pdf	Get hash	malicious	HTMLPhisher	Browse	191.252.141.106
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	177.52.131.49
	https://wtow.com.br/jr	Get hash	malicious	Unknown	Browse	191.252.83.211
	x86.elf	Get hash	malicious	Unknown	Browse	179.188.242.109
	https://alexaonlineshop.com/0.html?send_id=eh&tvi2_RxT=www.networksolutionsemail.com%2FntpdkptJegwgUbePDCPPdVkFuvAlhtlBYyzZldVkFuvAlhtlBYyzZlPwcjpjmntpdkptJegwgUbePDCPPdVkFuvAlhtlBYyzZlntpdkptJegwgUbePDCPPdVkFuvAlhtlBYyzZl&e=bS5ldmFuc0BhbmRhcmlhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	191.252.83.228
DIGITALOCEAN-ASNUS	https://micrsofts-outook-microsoft-0utlook.saptechsolution.com/?mm=YXJpZi5kYXVkQGJ1bWlhcm1hZGEuY29t%C3%A3%C2%80%C2%82	Get hash	malicious	HTMLPhisher	Browse	165.22.92.18
	https://adminatttse0n.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	165.227.196.62
	http://www.pagina.pro/help-facebook-support-business-authentication-accountscenter-checkpoint-next/	Get hash	malicious	Unknown	Browse	162.243.189.2
	https://btj6evhbb.cc.rs6.net/tn.jsp?f=001O6VdiJpoNciqHYrKzWc2s_9jZju9PsLfrtt4DPjmU4fLhPP8Dxa7MNYz-1mi2E7txdZJtqjd-WaZK1pkDZCxXoJjHMh3xrgYC3BT2bceqTTarsgUr8ffQp0qs1SKemiGj6L0jVvDCtAp4GDUsxOgxXVtA3oHYZpwNsX7zoHLkCahQ_1rWiuFsKPmap6NrXKKOZkQDov4jodCe6zgfhi3LOnktF42TroWYDBI_MWvjkkkw3bYV-PfmsKT1PXTjx-wscJTAQXuP_ELqzKCecWe4A==&c=27jCJZqxJBdXuthAdoa7UTRfRS7NclSRs6brlkoSPgFw0WSI2EKRwZy==&ch=YqcIV3igAma6sRKA6wR4pDxbsL75I8Y26Gc3W0GlIcJFeu6aAWtH9zkiHnHy==#iF4ezmAyR-QTzHzz_gmQ9uoia-KkQ4FBx_nXLTfpyl9x-70s4fp0NIDZ/ZGF1QHN5bW1ldHJ5aW52ZXN0bWVudHMuY29t	Get hash	malicious	HTMLPhisher	Browse	165.22.210.101
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	165.22.92.18
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	165.22.92.18
	Zehndergroup_Aliis.allandi-1.docx	Get hash	malicious	HTMLPhisher	Browse	165.22.92.18
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	165.227.196.62
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	64.227.0.209
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	138.197.252.115

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 19 06:57:03 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9966611159445384
Encrypted:	false
SSDEEP:	48:8CXWdET17SWSHTidAKZdA1JehwiZUklqeh1y+3:8CF0W6yy
MD5:	8C6C8C06F5982521360A139A6BB99D42
SHA1:	1E3DD58FD03DC536120D0A6EA3ECA1EA2AAFE175
SHA-256:	9B946028B90677EDA9B5ADA900BA11F592A1BD51517BDBCC52709AE27DE69238
SHA-512:	4FF8511531524609FA6EAF031F0B413D3479342F055AADBB1916FCBEC255B11F0670F10BF08C2DA6DCA0068C3780386D83E46CFCC9135BEDD76F30FF4FB903E3
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,...............y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ISZ.?....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VSZ!?....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VSZ!?....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VSZ!?...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VSZ"?...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 19 06:57:03 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.013608334449024
Encrypted:	false
SSDEEP:	48:8wQXWdET17SWSHTidAKZdA10eh/iZUkAQkqehiy+2:89F0Wg9Qvy
MD5:	EC2C3B028148FACE757854F43184CABF
SHA1:	B199D5C19D855578830BF403103C17A3EBE9B519
SHA-256:	20B9F058E9209F250AF01B72EB7EC6AD53735F7CA1C5688D63016DBE6BDFA51D
SHA-512:	391D35EB13219B3593D05BB7E7DD003BF4738AF8C706A53A9393FA41E38DAE793035B0D444AAD8A35D196A66A899498C38EC5F2C449D52BF82651EE2EDE50D3C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,..............y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ISZ.?....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VSZ!?....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VSZ!?....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VSZ!?...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VSZ"?...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.018490362812485
Encrypted:	false
SSDEEP:	48:8eXWdET17SjHTidAKZdA14tIeh7sFiZUkmgqeh7s8y+BX:8eF03ney
MD5:	BDB7E0CDD2DA17049E470F6535C8325A
SHA1:	2D196531C8AFB5069035DFE0BD3A161EEBC49CBB
SHA-256:	6AB78A0D7A4493392275773D276416177F04C33E55756041671F647EFE69A140
SHA-512:	6771F435A8527913FA69A753BE5E608E7A799E1A55DF976E9FF2151F6E4DC7DE44D84FB897407B7537CAB6DDBD2A9EE2E633EB04C905128175DD3F7D29EFA8B2
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ISZ.?....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VSZ!?....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VSZ!?....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VSZ!?...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 19 06:57:03 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.007630557214239
Encrypted:	false
SSDEEP:	48:8YgXWdET17SWSHTidAKZdA1behDiZUkwqehWy+R:8YgF0W7Uy
MD5:	452FFDF3F58EA1AB7626F6AEA0716CE1
SHA1:	661299E6397118777D929D4DB7713F9C25B2065A
SHA-256:	4E374218962A04963F8AB457E04CC225A344C8AFACAC7146A29077F8283213FB
SHA-512:	BA43E3579D2549E99AC3E2AC93F0C2356394763AE6931823E9433A48099CFC7B501EBF26C0ED987466B437BDDCDDB46A516678C0A469E47A30E000AE84F9D9DE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....h..........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ISZ.?....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VSZ!?....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VSZ!?....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VSZ!?...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VSZ"?...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 19 06:57:03 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.997699282926516
Encrypted:	false
SSDEEP:	48:8MXWdET17SWSHTidAKZdA1VehBiZUk1W1qehYy+C:8MF0Wb94y
MD5:	97FA100E8F24C3D60FD096B75B61169C
SHA1:	4FC8F1E783854DA2F740F55A80FEFD11C474D613
SHA-256:	30227F8AE9BC026B64DD2FECD52F823237989E7EAD4E6D9F25B57B63C8F84AA1
SHA-512:	26B90DA452D2C529890C17CCD893E995AA8572D2995705A99867E8F93F03DB0F8C4CE0585D1FB9AD3BC4FE364801D9B170F4178826D6DA79C4DF0F94B702BBCA
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....Qo.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ISZ.?....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VSZ!?....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VSZ!?....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VSZ!?...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VSZ"?...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 19 06:57:03 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.0115955682392155
Encrypted:	false
SSDEEP:	48:8uXWdET17SWSHTidAKZdA1duT6ehOuTbbiZUk5OjqehOuTbey+yT+:8uF0WHTTTbxWOvTbey7T
MD5:	B1470305F3CF4428335FFD2538A129BE
SHA1:	4E87D8BBD39FCBAE61635F94A8979AE7DFF59EE8
SHA-256:	E9B133274ADA8375BC914ABFBF9B5321BF32CD012221B0E649F960C7C483269A
SHA-512:	678828B2DB02FB315280F7DF3CB4897C456055CFB18C75EEF72416134812F8596AC3CFC603D7CFA72C3438FDEC2FE234214F5FBCA9F019AAFDC055AD8B39E546
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....Rv.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ISZ.?....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VSZ!?....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VSZ!?....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VSZ!?...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VSZ"?...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Desktop\~$ens_Jechan.lee.docx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.765352052768754
Encrypted:	false
SSDEEP:	3:1/lJC+/zdLF/7dTD/kuTTY2P:Jd/RLXTDMITY2P
MD5:	6CB29474994C5F364943E364CC00D79F
SHA1:	F54412E5B00F76FA92056833FB96AAD6D8B3CE39
SHA-256:	6393C366FDA894F880A040362778686259E12DF6AFD52D688B347CCFCF8EF116
SHA-512:	49C9220F57BACEE9574F42160FA06317C16AB851123C6F153A6C8E9CCBF1BDD34FAC72B8E6AD257DC5B9144C154A9E8EC024F4DEB1760CAF1D69F24809F1450A
Malicious:	false
Reputation:	low
Preview:	.......................................................... <a:miter lim="800000"/>. </a:ln>. </a:lnStyleLst>. ..........j.....}.j....(S...=Sj

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (65461)
Category:	downloaded
Size (bytes):	731680
Entropy (8bit):	6.201331034387397
Encrypted:	false
SSDEEP:	12288:LOo5wsGVn3uQcb0NOJhrBnCyAbTlRT1nqZoT2eDKOrj3mji7mbxwu/AXcXW:LRKEba8+TlnV6It2ji7E7//W
MD5:	26F1B716C1A34C04F8BE0627B39DF76D
SHA1:	7CA63BEF0F75E55697BE23DD94B3A80F5E1158A6
SHA-256:	71298B045EA59D3D99C455A4CD436DB8AC28A42632D442F260ACC0D95A1BBF01
SHA-512:	E9E3DE7560461164EE61091AE44FA11DD5D30756C1900F35E134C8AB8CF2D1FFEE58CA06491CE2CB4008144A07BE4C0916E2BA7512DB7A3F05D575E2CD973E1C
Malicious:	false
Reputation:	low
URL:	https://micrsofts-outook-microsoft-0utlook.saptechsolution.com/?mm=amVjaGFuLmxlZUBheGVucy5uZXQ=%C3%A3%C2%80%C2%82
Preview:	<!DOCTYPE html>.<html lang="en">. <head>. <script type="text/javascript">. function a0k5(k,T){var S=a0k4();return a0k5=function(t,q){t=t-0x68;var i=S[t];return i;},a0k5(k,T);}function a0k4(){var I4=['ZWAdobeF','0x16','.sb-box-pubbliredazionale','[object\x20WebPageNamespace]','.ModuleTemplateCookieIndicator','1983270VAGJfR','java','reactions','item','HQEZs','kgMMs','availHeight','unstable','','symbols','\x20as\x20a\x20prototype','a[href^=\x22/url/\x22]','visitorId','','appendChild','write','97212ShwkHf','','#widget-quan','min','Object','','div[class^=\x22app_gdpr\x22]','div','JHgwZ','\x20is\x20not\x20a\x20symbol','mUeQz','form','','entries','frequency','Reflect','offsetWidth','availTop','tagName','createOscillator','importScripts','msSaveBlob','GauBJ','error','vfrup','fillRect','IyvJR','msPointerEnabled','Cloudflare-Workers','.community__social-desc','font','systemLanguage','reverse','setter','left','','iNhzz','exec','NODE','Can\x27t\x20convert\x20object\x20to\x20primitive\x20value',

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	5.484220223871175
TrID:	Word Microsoft Office Open XML Format document (27504/1) 77.45% ZIP compressed archive (8000/1) 22.53% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
File name:	Axens_Jechan.lee.docx
File size:	34'120 bytes
MD5:	5321c402a0a880ab7774c798c0788ca8
SHA1:	26864ca76f748cd7d3c49d65c6cfb948d33e1fa9
SHA256:	f4551296f943a4a07f178e70d4e2cb24eff452ce5d189485d8c9b010e3c5a222
SHA512:	c70c2d63e9d72f068bf75c082a14a8ea676bfcfd5c002e8bb964bbd92ee177411f53180e2dfa874f836f2f17e7418124b3142c41fa4242870fde472eb09c3efd
SSDEEP:	768:1zSfHKaSfHKtrN0OFcIAUnfF5Xgd+FaX59DYxAKl+3pDGjtB1gYlrdOsBirS3W/N:cKhKtrN0OiIhaX59Dsdl+3pDGB1gYlrc
TLSH:	CBE21A92F6FA491ED24005F0A2A13502BF6DB0DB07D66245B54DDFF9AF8BCA138876C4
File Content Preview:	PK.........cRZ................word/PK.........cRZ................word/media/PK.........cRZ.G..A...A...*...word/media/image-zav5pRPPKNrv8ocNoaaHL.png.PNG........IHDR..............X......IDATx...~.....IDAT..A.#9...pB...o..b("U....0.?RU.h...F.jk...F.jk...F.j

File Icon


Icon Hash:	35e5c48caa8a8599

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-19T08:57:07.980546+0100	2857090	ETPRO PHISHING JS/PsyduckPockeball Payload Inbound	1	165.22.92.18	443	192.168.2.17	49719	TCP

Network Port Distribution

Total Packets: 204
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 08:56:57.275376081 CET	49677	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:56:57.275377989 CET	49678	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:56:57.275424957 CET	49676	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:02.604185104 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:02.604235888 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:02.604321957 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:02.606626987 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:02.606651068 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:02.607132912 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:02.607178926 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:02.607671022 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:02.607899904 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:02.607917070 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.313745022 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.314016104 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:06.314040899 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.315083981 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.315165997 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:06.316124916 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:06.316198111 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.316308022 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:06.316320896 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.367378950 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:06.709691048 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.710014105 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.710263968 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:06.710386992 CET	49712	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:06.710401058 CET	443	49712	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:06.798788071 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:06.798845053 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:06.799071074 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:06.799114943 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:06.799125910 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:06.799186945 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:06.799355984 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:06.799367905 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:06.799503088 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:06.799525976 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:06.893703938 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:06.893759966 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:06.893827915 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:06.894022942 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:06.894038916 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:07.431759119 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.432060957 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.432101965 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.433167934 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.433237076 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.434314966 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.434401035 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.434578896 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.434588909 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.435334921 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.435565948 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.435597897 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.436702013 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.436781883 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.437704086 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.437813044 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.482426882 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.482433081 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.482455015 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.521250010 CET	62815	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:07.527782917 CET	53	62815	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:07.527874947 CET	62815	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:07.530384064 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.533165932 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:07.533443928 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:07.533454895 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:07.533822060 CET	53	62815	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:07.534493923 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:07.534554005 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:07.535485029 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:07.535581112 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:07.578406096 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:07.578445911 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:07.626391888 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:07.887175083 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.887212992 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.887249947 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.887279987 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.887320042 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.887357950 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.974132061 CET	62815	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:07.980500937 CET	53	62815	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:07.980557919 CET	62815	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:07.980601072 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.980613947 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.980665922 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.980667114 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.980703115 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.980722904 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.980722904 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.980729103 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.980762005 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.983083010 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.983100891 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.983158112 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:07.983177900 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:07.983232975 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.066457987 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.066484928 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.066555977 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.066605091 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.066675901 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.067138910 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.067193985 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.067200899 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.068903923 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.068922997 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.068985939 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.068993092 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.118351936 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.152358055 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.152383089 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.152460098 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.152503967 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.152635098 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.154970884 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.154989958 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.155054092 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.155061007 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.155098915 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.155874014 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.155890942 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.155926943 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.155931950 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.155960083 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.155977964 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.156968117 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.156986952 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.157043934 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.157049894 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.157366991 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.157826900 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.157844067 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.157912016 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.157917023 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.157965899 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.162683964 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.162704945 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.162761927 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.162784100 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.162812948 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.163142920 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.241027117 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.241053104 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.241159916 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.241190910 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.241209984 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.241229057 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.243285894 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.243305922 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.243392944 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.243422985 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.243443012 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.243464947 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.245172977 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.245192051 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.245395899 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.245414972 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.245559931 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.247426987 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.247479916 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.247504950 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.247512102 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.247531891 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.247546911 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.248006105 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.248023033 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.248074055 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.248079062 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.248693943 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.248713970 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.248744965 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.248750925 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.248768091 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.248795033 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.248985052 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.248999119 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.249043941 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.249047995 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.249067068 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.249080896 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.261228085 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.326137066 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.326160908 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.326225996 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.326240063 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.326250076 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.326276064 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.328798056 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.328821898 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.328998089 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.328998089 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.329005003 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.329061985 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.329571009 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.329598904 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.329643965 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.329649925 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.329659939 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.329687119 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.332834005 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.332886934 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.332901001 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.332906008 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.332930088 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.332946062 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.332950115 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.333237886 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.333259106 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.333295107 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.333298922 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.333324909 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.334098101 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.334152937 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.334249973 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.334259033 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.334268093 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.334737062 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.334789038 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.334830046 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.334836006 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.334846020 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.335725069 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.335746050 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.335803032 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.335809946 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.335819960 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.336632013 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.336654902 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.336693048 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.336705923 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.336723089 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.379590034 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.416778088 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.416835070 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.416868925 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.416896105 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.416913033 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.417324066 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.417483091 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.417500019 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.417552948 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.417558908 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.417601109 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.418301105 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418319941 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418399096 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.418405056 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418431997 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418454885 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418464899 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.418469906 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418515921 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.418607950 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418622971 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418662071 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.418668985 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.418713093 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.419425011 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.419442892 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.419502974 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.419523001 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.419528961 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.419564009 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.419594049 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.420458078 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.420480967 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.420536995 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.420547009 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.420556068 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.473397970 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.501969099 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.502054930 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.502069950 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.502100945 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.502141953 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.502160072 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.502535105 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.502557039 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.502624035 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.502631903 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.502712965 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.504106045 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.504136086 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.504184008 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.504194975 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.504235983 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.504262924 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.504714966 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.504731894 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.504822016 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.504827976 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.505064964 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.505295992 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.505316019 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.505398035 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.505405903 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.505486012 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.505760908 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.505788088 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.505840063 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.505847931 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.505875111 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.506333113 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.506366014 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.506373882 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.506381035 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.506397009 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.506450891 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.506701946 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.506722927 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.506787062 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.506794930 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.506815910 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.506839037 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.588953972 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.588980913 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.589050055 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.589067936 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.589126110 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.589185953 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.589199066 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.589241028 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.589257002 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:08.589267969 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.589297056 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.589739084 CET	49719	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:08.589752913 CET	443	49719	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:09.005503893 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:09.010885954 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.100377083 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.100542068 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:09.101720095 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:09.101919889 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:09.102168083 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:09.102279902 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:09.107561111 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.107578039 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.107696056 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.107706070 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.108180046 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.187588930 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.188214064 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:09.188323021 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:09.193332911 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.280915022 CET	443	49693	204.79.197.200	192.168.2.17
Feb 19, 2025 08:57:09.281008959 CET	49693	443	192.168.2.17	204.79.197.200
Feb 19, 2025 08:57:12.308262110 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:12.308561087 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:12.308587074 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:12.309659958 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:12.309727907 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:12.310043097 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:12.310107946 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:12.351663113 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:12.351700068 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:57:12.399398088 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:15.388736010 CET	49675	443	192.168.2.17	204.79.197.203
Feb 19, 2025 08:57:15.692619085 CET	49675	443	192.168.2.17	204.79.197.203
Feb 19, 2025 08:57:16.300425053 CET	49675	443	192.168.2.17	204.79.197.203
Feb 19, 2025 08:57:17.433995962 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:17.434088945 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:17.434135914 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:17.514425993 CET	49675	443	192.168.2.17	204.79.197.203
Feb 19, 2025 08:57:18.379251957 CET	49720	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:57:18.379290104 CET	443	49720	142.250.186.164	192.168.2.17
Feb 19, 2025 08:57:19.542824984 CET	49680	443	192.168.2.17	20.189.173.13
Feb 19, 2025 08:57:19.846463919 CET	49680	443	192.168.2.17	20.189.173.13
Feb 19, 2025 08:57:19.926451921 CET	49675	443	192.168.2.17	204.79.197.203
Feb 19, 2025 08:57:20.453449011 CET	49680	443	192.168.2.17	20.189.173.13
Feb 19, 2025 08:57:21.668457031 CET	49680	443	192.168.2.17	20.189.173.13
Feb 19, 2025 08:57:24.080480099 CET	49680	443	192.168.2.17	20.189.173.13
Feb 19, 2025 08:57:24.734503984 CET	49675	443	192.168.2.17	204.79.197.203
Feb 19, 2025 08:57:27.990789890 CET	49682	80	192.168.2.17	192.229.211.108
Feb 19, 2025 08:57:28.294513941 CET	49682	80	192.168.2.17	192.229.211.108
Feb 19, 2025 08:57:28.881604910 CET	49680	443	192.168.2.17	20.189.173.13
Feb 19, 2025 08:57:28.897711992 CET	49682	80	192.168.2.17	192.229.211.108
Feb 19, 2025 08:57:30.111532927 CET	49682	80	192.168.2.17	192.229.211.108
Feb 19, 2025 08:57:32.517570019 CET	49682	80	192.168.2.17	192.229.211.108
Feb 19, 2025 08:57:34.349526882 CET	49675	443	192.168.2.17	204.79.197.203
Feb 19, 2025 08:57:37.321579933 CET	49682	80	192.168.2.17	192.229.211.108
Feb 19, 2025 08:57:38.488596916 CET	49680	443	192.168.2.17	20.189.173.13
Feb 19, 2025 08:57:46.929579973 CET	49682	80	192.168.2.17	192.229.211.108
Feb 19, 2025 08:57:52.485606909 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:57:52.485636950 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:57:57.360677004 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:57:57.360692978 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:58:06.947999001 CET	63069	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:58:06.948059082 CET	443	63069	142.250.186.164	192.168.2.17
Feb 19, 2025 08:58:06.948148012 CET	63069	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:58:06.948477983 CET	63069	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:58:06.948493004 CET	443	63069	142.250.186.164	192.168.2.17
Feb 19, 2025 08:58:07.362302065 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:58:07.362397909 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:58:07.362449884 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:58:07.598206043 CET	443	63069	142.250.186.164	192.168.2.17
Feb 19, 2025 08:58:07.598673105 CET	63069	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:58:07.598699093 CET	443	63069	142.250.186.164	192.168.2.17
Feb 19, 2025 08:58:07.599073887 CET	443	63069	142.250.186.164	192.168.2.17
Feb 19, 2025 08:58:07.599384069 CET	63069	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:58:07.599466085 CET	443	63069	142.250.186.164	192.168.2.17
Feb 19, 2025 08:58:07.649756908 CET	63069	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:58:08.383188009 CET	49718	443	192.168.2.17	165.22.92.18
Feb 19, 2025 08:58:08.383219957 CET	443	49718	165.22.92.18	192.168.2.17
Feb 19, 2025 08:58:12.391516924 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:58:12.391668081 CET	443	49713	191.252.141.106	192.168.2.17
Feb 19, 2025 08:58:12.391767025 CET	49713	443	192.168.2.17	191.252.141.106
Feb 19, 2025 08:58:17.566915035 CET	443	63069	142.250.186.164	192.168.2.17
Feb 19, 2025 08:58:17.566996098 CET	443	63069	142.250.186.164	192.168.2.17
Feb 19, 2025 08:58:17.567125082 CET	63069	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:58:18.388422012 CET	63069	443	192.168.2.17	142.250.186.164
Feb 19, 2025 08:58:18.388458967 CET	443	63069	142.250.186.164	192.168.2.17

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 08:57:02.085479975 CET	50568	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:02.085663080 CET	51112	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:02.089184999 CET	53	53742	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:02.127489090 CET	53	49413	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:02.541599035 CET	53	50568	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:02.786308050 CET	53	51112	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:03.116441965 CET	53	62682	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:06.745265961 CET	59654	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:06.745567083 CET	56866	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:06.780957937 CET	53	59654	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:06.885634899 CET	64055	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:06.885761023 CET	63150	53	192.168.2.17	1.1.1.1
Feb 19, 2025 08:57:06.892808914 CET	53	63150	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:06.892940044 CET	53	64055	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:07.096132040 CET	53	56866	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:07.520890951 CET	53	60742	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:20.191121101 CET	53	53713	1.1.1.1	192.168.2.17
Feb 19, 2025 08:57:39.024362087 CET	53	64965	1.1.1.1	192.168.2.17
Feb 19, 2025 08:58:01.886109114 CET	53	54408	1.1.1.1	192.168.2.17
Feb 19, 2025 08:58:02.076517105 CET	53	58162	1.1.1.1	192.168.2.17
Feb 19, 2025 08:58:16.764214039 CET	138	138	192.168.2.17	192.168.2.255
Feb 19, 2025 08:58:31.773060083 CET	53	55302	1.1.1.1	192.168.2.17

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 19, 2025 08:57:02.786381006 CET	192.168.2.17	1.1.1.1	c252	(Port unreachable)	Destination Unreachable
Feb 19, 2025 08:57:07.096219063 CET	192.168.2.17	1.1.1.1	c264	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 19, 2025 08:57:02.085479975 CET	192.168.2.17	1.1.1.1	0xf552	Standard query (0)	studiotokyo.com.br	A (IP address)	IN (0x0001)	false
Feb 19, 2025 08:57:02.085663080 CET	192.168.2.17	1.1.1.1	0xce13	Standard query (0)	studiotokyo.com.br	65	IN (0x0001)	false
Feb 19, 2025 08:57:06.745265961 CET	192.168.2.17	1.1.1.1	0x330	Standard query (0)	micrsofts-outook-microsoft-0utlook.saptechsolution.com	A (IP address)	IN (0x0001)	false
Feb 19, 2025 08:57:06.745567083 CET	192.168.2.17	1.1.1.1	0xf476	Standard query (0)	micrsofts-outook-microsoft-0utlook.saptechsolution.com	65	IN (0x0001)	false
Feb 19, 2025 08:57:06.885634899 CET	192.168.2.17	1.1.1.1	0x9684	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 19, 2025 08:57:06.885761023 CET	192.168.2.17	1.1.1.1	0x977	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 19, 2025 08:56:58.422964096 CET	1.1.1.1	192.168.2.17	0x9a39	No error (0)	ecs-office.s-0005.dual-s-msedge.net	s-0005.dual-s-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 19, 2025 08:56:58.422964096 CET	1.1.1.1	192.168.2.17	0x9a39	No error (0)	s-0005.dual-s-msedge.net		52.123.128.14	A (IP address)	IN (0x0001)	false
Feb 19, 2025 08:56:58.422964096 CET	1.1.1.1	192.168.2.17	0x9a39	No error (0)	s-0005.dual-s-msedge.net		52.123.129.14	A (IP address)	IN (0x0001)	false
Feb 19, 2025 08:57:02.541599035 CET	1.1.1.1	192.168.2.17	0xf552	No error (0)	studiotokyo.com.br		191.252.141.106	A (IP address)	IN (0x0001)	false
Feb 19, 2025 08:57:06.780957937 CET	1.1.1.1	192.168.2.17	0x330	No error (0)	micrsofts-outook-microsoft-0utlook.saptechsolution.com		165.22.92.18	A (IP address)	IN (0x0001)	false
Feb 19, 2025 08:57:06.892808914 CET	1.1.1.1	192.168.2.17	0x977	No error (0)	www.google.com			65	IN (0x0001)	false
Feb 19, 2025 08:57:06.892940044 CET	1.1.1.1	192.168.2.17	0x9684	No error (0)	www.google.com		142.250.186.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

studiotokyo.com.br

https:

micrsofts-outook-microsoft-0utlook.saptechsolution.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.17	49712	191.252.141.106	443	6516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 07:57:06 UTC	717	OUT	GET /box/fkfjkfjf/amVjaGFuLmxlZUBheGVucy5uZXQ=%25E3%2580%2582 HTTP/1.1 Host: studiotokyo.com.br Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-02-19 07:57:06 UTC	259	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 07:57:06 GMT Server: Apache refresh: 0;url=https://micrsofts-outook-microsoft-0utlook.saptechsolution.com/?mm=amVjaGFuLmxlZUBheGVucy5uZXQ= Connection: close Transfer-Encoding: chunked Content-Type: text/html
2025-02-19 07:57:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.17	49719	165.22.92.18	443	6516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 07:57:07 UTC	771	OUT	GET /?mm=amVjaGFuLmxlZUBheGVucy5uZXQ=%C3%A3%C2%80%C2%82 HTTP/1.1 Host: micrsofts-outook-microsoft-0utlook.saptechsolution.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://studiotokyo.com.br/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-02-19 07:57:07 UTC	181	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Feb 2025 07:57:07 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding
2025-02-19 07:57:07 UTC	7100	IN	Data Raw: 31 62 62 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 66 75 6e 63 74 69 6f 6e 20 61 30 6b 35 28 6b 2c 54 29 7b 76 61 72 20 53 3d 61 30 6b 34 28 29 3b 72 65 74 75 72 6e 20 61 30 6b 35 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 71 29 7b 74 3d 74 2d 30 78 36 38 3b 76 61 72 20 69 3d 53 5b 74 5d 3b 72 65 74 75 72 6e 20 69 3b 7d 2c 61 30 6b 35 28 6b 2c 54 29 3b 7d 66 75 6e 63 74 69 6f 6e 20 61 30 6b 34 28 29 7b 76 61 72 20 49 34 3d 5b 27 5a 57 41 64 6f 62 65 46 27 2c 27 30 78 31 36 27 2c 27 2e 73 62 2d 62 6f 78 2d 70 75 62 62 6c 69 72 65 64 61 7a 69 6f 6e 61 6c 65 27 2c 27 Data Ascii: 1bb4<!DOCTYPE html><html lang="en"> <head> <script type="text/javascript"> function a0k5(k,T){var S=a0k4();return a0k5=function(t,q){t=t-0x68;var i=S[t];return i;},a0k5(k,T);}function a0k4(){var I4=['ZWAdobeF','0x16','.sb-box-pubbliredazionale','
2025-02-19 07:57:07 UTC	16384	IN	Data Raw: 37 66 66 61 0d 0a 33 32 33 31 33 30 32 35 33 32 33 32 32 66 32 35 33 22 2c 20 22 35 34 35 36 38 36 35 35 66 37 34 32 35 33 36 33 30 36 38 36 38 37 65 32 35 22 2c 20 22 33 32 33 37 33 37 32 35 33 32 33 34 32 35 33 32 33 30 35 38 37 36 32 35 33 22 2c 20 22 37 34 36 35 38 36 31 36 31 35 30 37 34 36 36 36 39 36 38 32 35 33 37 34 36 22 2c 20 22 32 35 33 32 33 36 33 36 32 64 32 35 33 32 33 33 35 36 36 61 32 35 33 37 34 22 2c 20 22 34 37 65 36 65 37 35 37 39 32 35 33 37 34 36 37 30 32 35 33 32 33 31 36 31 22 2c 20 22 33 32 33 35 33 32 33 37 33 33 33 33 33 30 33 32 33 30 33 36 33 30 33 36 33 22 2c 20 22 39 33 35 33 31 33 33 33 38 22 5d 27 2c 27 59 54 57 46 56 27 2c 27 49 6e 63 6f 6d 70 61 74 69 62 6c 65 5c 78 32 30 72 65 63 65 69 76 65 72 2c 5c 78 32 30 27 2c 27 Data Ascii: 7ffa3231302532322f253", "54568655f7425363068687e25", "3237372532342532305876253", "7465861615074666968253746", "253236362d253233566a25374", "47e6e75792537467025323161", "3235323733333032303630363", "935313338"]','YTWFV','Incompatible\x20receiver,\x20','
2025-02-19 07:57:07 UTC	16384	IN	Data Raw: 27 66 27 5d 2c 6b 5a 2c 53 6f 29 2c 6b 69 5b 6b 41 5d 29 3b 7d 65 6c 73 65 20 72 65 74 75 72 6e 7b 27 64 6f 6e 65 27 3a 21 21 53 77 2b 2b 7d 3b 7d 2c 27 72 65 74 75 72 6e 27 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 53 49 3d 21 30 78 30 3b 7d 7d 3b 53 44 5b 53 46 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 3b 7d 2c 41 72 72 61 79 5b 27 66 72 6f 6d 27 5d 28 53 44 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 71 35 3d 71 33 3b 69 66 28 71 35 28 30 78 34 39 35 29 21 3d 3d 71 35 28 30 78 34 38 36 29 29 74 68 72 6f 77 20 30 78 32 3b 65 6c 73 65 20 72 65 74 75 72 6e 20 6b 67 28 27 28 66 6f 72 63 65 64 2d 63 6f 6c 6f 72 73 3a 5c 78 32 30 27 5b 27 63 6f 6e 63 61 74 27 5d 28 53 6c 2c 27 29 27 29 29 5b 71 35 28 30 78 32 37 38 29 5d 3b 7d 29 Data Ascii: 'f'],kZ,So),ki[kA]);}else return{'done':!!Sw++};},'return':function(){SI=!0x0;}};SD[SF]=function(){return this;},Array['from'](SD,function(){var q5=q3;if(q5(0x495)!==q5(0x486))throw 0x2;else return kg('(forced-colors:\x20'['concat'](Sl,')'))[q5(0x278)];})
2025-02-19 07:57:08 UTC	16384	IN	Data Raw: 0d 0a 36 34 35 32 0d 0a 5d 2c 53 6a 5b 27 68 61 73 27 5d 3d 53 6a 5b 69 77 28 30 78 31 61 32 29 5d 2c 53 6a 5b 69 77 28 30 78 34 32 33 29 5d 3d 53 6a 5b 69 77 28 30 78 34 32 33 29 5d 2c 53 46 3d 66 75 6e 63 74 69 6f 6e 28 53 73 2c 53 51 29 7b 76 61 72 20 69 67 3d 69 77 3b 69 66 28 53 6a 5b 69 67 28 30 78 31 61 32 29 5d 28 53 73 29 29 74 68 72 6f 77 20 6e 65 77 20 53 50 28 53 4b 29 3b 72 65 74 75 72 6e 20 53 51 5b 69 67 28 30 78 66 61 29 5d 3d 53 73 2c 53 6a 5b 69 67 28 30 78 34 32 33 29 5d 28 53 73 2c 53 51 29 2c 53 51 3b 7d 2c 53 49 3d 66 75 6e 63 74 69 6f 6e 28 53 73 29 7b 76 61 72 20 69 6d 3d 69 77 3b 72 65 74 75 72 6e 20 53 6a 5b 69 6d 28 30 78 32 62 65 29 5d 28 53 73 29 7c 7c 7b 7d 3b 7d 2c 53 77 3d 66 75 6e 63 74 69 6f 6e 28 53 73 29 7b 76 61 72 20 Data Ascii: 6452],Sj['has']=Sj[iw(0x1a2)],Sj[iw(0x423)]=Sj[iw(0x423)],SF=function(Ss,SQ){var ig=iw;if(Sj[ig(0x1a2)](Ss))throw new SP(SK);return SQ[ig(0xfa)]=Ss,Sj[ig(0x423)](Ss,SQ),SQ;},SI=function(Ss){var im=iw;return Sj[im(0x2be)](Ss)\|\|{};},Sw=function(Ss){var
2025-02-19 07:57:08 UTC	9308	IN	Data Raw: 20 59 4b 3d 61 30 6b 35 2c 53 46 3d 53 6f 28 30 78 34 66 65 29 2c 53 49 3d 53 6f 28 30 78 31 35 64 66 29 2c 53 77 3d 53 6f 28 30 78 38 65 36 29 5b 27 66 27 5d 2c 53 44 3d 53 6f 28 30 78 36 61 32 29 2c 53 79 3d 27 6f 62 6a 65 63 74 27 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 26 26 4f 62 6a 65 63 74 5b 59 4b 28 30 78 31 62 61 29 5d 3f 4f 62 6a 65 63 74 5b 27 67 65 74 4f 77 6e 50 72 6f 70 65 72 74 79 4e 61 6d 65 73 27 5d 28 77 69 6e 64 6f 77 29 3a 5b 5d 3b 53 6c 5b 59 4b 28 30 78 31 66 35 29 5d 5b 27 66 27 5d 3d 66 75 6e 63 74 69 6f 6e 28 53 67 29 7b 72 65 74 75 72 6e 20 53 79 26 26 27 57 69 6e 64 6f 77 27 3d 3d 3d 53 46 28 53 67 29 3f 66 75 6e 63 74 69 6f 6e 28 53 6d 29 7b 74 72 79 7b 72 65 74 75 72 6e 20 53 77 28 53 6d 29 3b 7d Data Ascii: YK=a0k5,SF=So(0x4fe),SI=So(0x15df),Sw=So(0x8e6)['f'],SD=So(0x6a2),Sy='object'==typeof window&&window&&Object[YK(0x1ba)]?Object['getOwnPropertyNames'](window):[];Sl[YK(0x1f5)]['f']=function(Sg){return Sy&&'Window'===SF(Sg)?function(Sm){try{return Sw(Sm);}
2025-02-19 07:57:08 UTC	16384	IN	Data Raw: 37 66 66 39 0d 0a 29 3a 53 76 28 53 57 29 3b 7d 63 61 74 63 68 28 53 78 29 7b 53 6a 26 26 21 53 47 26 26 53 6a 5b 4d 53 28 30 78 39 38 29 5d 28 29 2c 53 76 28 53 78 29 3b 7d 7d 65 6c 73 65 20 72 65 74 75 72 6e 21 53 49 28 27 61 27 2c 27 79 27 29 5b 27 73 74 69 63 6b 79 27 5d 3b 7d 29 2c 53 79 3d 53 77 7c 7c 53 46 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 4d 74 3d 4d 6b 2c 53 67 3d 53 49 28 27 5e 72 27 2c 27 67 79 27 29 3b 72 65 74 75 72 6e 20 53 67 5b 4d 74 28 30 78 64 66 29 5d 3d 30 78 32 2c 6e 75 6c 6c 21 3d 3d 53 67 5b 4d 74 28 30 78 33 64 37 29 5d 28 27 73 74 72 27 29 3b 7d 29 3b 53 6c 5b 4d 6b 28 30 78 31 66 35 29 5d 3d 7b 27 42 52 4f 4b 45 4e 5f 43 41 52 45 54 27 3a 53 79 2c 27 4d 49 53 53 45 44 5f 53 54 49 43 4b 59 27 3a 53 44 2c 27 55 4e 53 Data Ascii: 7ff9):Sv(SW);}catch(Sx){Sj&&!SG&&Sj[MS(0x98)](),Sv(Sx);}}else return!SI('a','y')['sticky'];}),Sy=Sw\|\|SF(function(){var Mt=Mk,Sg=SI('^r','gy');return Sg[Mt(0xdf)]=0x2,null!==Sg[Mt(0x3d7)]('str');});Sl[Mk(0x1f5)]={'BROKEN_CARET':Sy,'MISSED_STICKY':SD,'UNS
2025-02-19 07:57:08 UTC	16384	IN	Data Raw: 69 6e 67 27 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 30 78 31 3b 7d 7d 29 3b 7d 29 7d 2c 7b 27 74 6f 4a 53 4f 4e 27 3a 66 75 6e 63 74 69 6f 6e 28 53 79 29 7b 76 61 72 20 56 76 3d 56 4b 2c 53 67 3d 53 77 28 74 68 69 73 29 2c 53 6d 3d 53 44 28 53 67 2c 27 6e 75 6d 62 65 72 27 29 3b 72 65 74 75 72 6e 20 56 76 28 30 78 34 30 66 29 21 3d 74 79 70 65 6f 66 20 53 6d 7c 7c 69 73 46 69 6e 69 74 65 28 53 6d 29 3f 53 67 5b 56 76 28 30 78 33 37 61 29 5d 28 29 3a 6e 75 6c 6c 3b 7d 7d 29 3b 7d 2c 30 78 37 37 34 3a 66 75 6e 63 74 69 6f 6e 28 53 6c 2c 53 43 2c 53 6f 29 7b 76 61 72 20 56 6a 3d 61 30 6b 35 3b 69 66 28 56 6a 28 30 78 33 37 36 29 21 3d 3d 27 53 5a 65 63 66 27 29 7b 76 61 72 20 53 46 3d 53 6f 28 30 78 31 37 65 29 2c 53 49 3d 53 6f 28 30 78 38 Data Ascii: ing':function(){return 0x1;}});})},{'toJSON':function(Sy){var Vv=VK,Sg=Sw(this),Sm=SD(Sg,'number');return Vv(0x40f)!=typeof Sm\|\|isFinite(Sm)?Sg[Vv(0x37a)]():null;}});},0x774:function(Sl,SC,So){var Vj=a0k5;if(Vj(0x376)!=='SZecf'){var SF=So(0x17e),SI=So(0x8
2025-02-19 07:57:08 UTC	16384	IN	Data Raw: 0a 31 38 30 30 37 0d 0a 37 29 5d 3d 3d 3d 53 58 29 72 65 74 75 72 6e 20 53 64 3b 66 6f 72 28 76 61 72 20 74 30 3d 30 78 31 3b 74 30 3c 3d 53 4a 5b 6c 57 28 30 78 61 37 29 5d 2d 30 78 31 3b 74 30 2b 2b 29 69 66 28 53 4c 28 53 64 2c 53 4a 5b 74 30 5d 29 2c 53 64 5b 6c 57 28 30 78 61 37 29 5d 3d 3d 3d 53 58 29 72 65 74 75 72 6e 20 53 64 3b 53 72 3d 53 68 3d 53 4e 3b 7d 7d 72 65 74 75 72 6e 20 53 4c 28 53 64 2c 53 73 28 53 52 2c 53 68 29 29 2c 53 64 3b 7d 5d 3b 7d 2c 53 70 7c 7c 21 53 51 2c 53 6a 29 3b 7d 2c 30 78 31 35 34 33 3a 66 75 6e 63 74 69 6f 6e 28 53 6c 2c 53 43 2c 53 6f 29 7b 76 61 72 20 6c 61 3d 61 30 6b 35 2c 53 46 3d 53 6f 28 30 78 32 31 61 34 29 2c 53 49 3d 53 6f 28 30 78 31 35 63 61 29 2c 53 77 3d 53 6f 28 30 78 37 30 66 29 2c 53 44 3d 53 6f 28 Data Ascii: 180077)]===SX)return Sd;for(var t0=0x1;t0<=SJ[lW(0xa7)]-0x1;t0++)if(SL(Sd,SJ[t0]),Sd[lW(0xa7)]===SX)return Sd;Sr=Sh=SN;}}return SL(Sd,Ss(SR,Sh)),Sd;}];},Sp\|\|!SQ,Sj);},0x1543:function(Sl,SC,So){var la=a0k5,SF=So(0x21a4),SI=So(0x15ca),Sw=So(0x70f),SD=So(
2025-02-19 07:57:08 UTC	16384	IN	Data Raw: 29 2c 6b 67 28 53 63 2c 53 47 29 3b 63 61 73 65 20 30 78 61 3a 53 47 5b 30 78 31 5d 3d 53 6f 5b 53 46 2b 30 78 39 5d 2c 6b 79 28 53 47 2c 30 78 38 29 2c 6b 67 28 53 63 2c 53 47 29 3b 63 61 73 65 20 30 78 39 3a 53 47 5b 30 78 31 5d 3d 53 6f 5b 53 46 2b 30 78 38 5d 2c 6b 67 28 53 63 2c 53 47 29 2c 6b 77 28 53 63 2c 6b 61 29 2c 6b 44 28 53 63 2c 30 78 32 31 29 2c 6b 77 28 53 63 2c 6b 57 29 2c 6b 67 28 53 67 2c 53 63 29 3b 63 61 73 65 20 30 78 38 3a 53 47 5b 30 78 31 5d 3d 53 6f 5b 53 46 2b 30 78 37 5d 2c 6b 79 28 53 47 2c 30 78 33 38 29 2c 6b 67 28 53 6d 2c 53 47 29 3b 63 61 73 65 20 30 78 37 3a 53 47 5b 30 78 31 5d 3d 53 6f 5b 53 46 2b 30 78 36 5d 2c 6b 79 28 53 47 2c 30 78 33 30 29 2c 6b 67 28 53 6d 2c 53 47 29 3b 63 61 73 65 20 30 78 36 3a 53 47 5b 30 78 Data Ascii: ),kg(Sc,SG);case 0xa:SG[0x1]=So[SF+0x9],ky(SG,0x8),kg(Sc,SG);case 0x9:SG[0x1]=So[SF+0x8],kg(Sc,SG),kw(Sc,ka),kD(Sc,0x21),kw(Sc,kW),kg(Sg,Sc);case 0x8:SG[0x1]=So[SF+0x7],ky(SG,0x38),kg(Sm,SG);case 0x7:SG[0x1]=So[SF+0x6],ky(SG,0x30),kg(Sm,SG);case 0x6:SG[0x
2025-02-19 07:57:08 UTC	16384	IN	Data Raw: 76 61 72 20 6f 4d 3d 43 37 2c 53 43 3d 28 76 6f 69 64 20 30 78 30 3d 3d 3d 53 6c 3f 7b 7d 3a 53 6c 29 5b 6f 4d 28 30 78 34 32 35 29 5d 3b 72 65 74 75 72 6e 20 6b 38 28 74 68 69 73 2c 76 6f 69 64 20 30 78 30 2c 76 6f 69 64 20 30 78 30 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 53 6f 2c 53 46 2c 53 49 2c 53 77 2c 53 44 3b 72 65 74 75 72 6e 20 6b 39 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 53 79 29 7b 76 61 72 20 6f 56 3d 61 30 6b 35 3b 73 77 69 74 63 68 28 53 79 5b 27 6c 61 62 65 6c 27 5d 29 7b 63 61 73 65 20 30 78 30 3a 72 65 74 75 72 6e 20 6b 70 28 29 7c 7c 6b 66 28 29 3f 28 53 67 3d 61 74 6f 62 2c 53 6f 3d 7b 27 61 62 70 49 6e 64 6f 27 3a 5b 6f 56 28 30 78 31 34 37 29 2c 6f 56 28 30 78 31 64 31 29 2c 6f 56 28 30 78 32 65 34 29 2c 6f 56 28 30 78 Data Ascii: var oM=C7,SC=(void 0x0===Sl?{}:Sl)[oM(0x425)];return k8(this,void 0x0,void 0x0,function(){var So,SF,SI,Sw,SD;return k9(this,function(Sy){var oV=a0k5;switch(Sy['label']){case 0x0:return kp()\|\|kf()?(Sg=atob,So={'abpIndo':[oV(0x147),oV(0x1d1),oV(0x2e4),oV(0x

Statistics

CPU Usage

• WINWORD.EXE
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• WINWORD.EXE
• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	02:56:54
Start date:	19/02/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\Axens_Jechan.lee.docx" /o ""
Imagebase:	0x240000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:57:00
Start date:	19/02/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://studiotokyo.com.br/box/fkfjkfjf/amVjaGFuLmxlZUBheGVucy5uZXQ=%25E3%2580%2582
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:57:00
Start date:	19/02/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2068,i,2146915433265339391,3391795401891623885,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Axens_Jechan.lee.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Desktop\~$ens_Jechan.lee.docx

Chrome Cache Entry: 79

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
Axens_Jechan.lee.docx