Edit tour

Windows Analysis Report
ref#298409_bill_attached_.htm

Overview

General Information

Sample Name:	ref#298409_bill_attached_.htm
Analysis ID:	854623
MD5:	81a2ef8b6871250d3c35aa694eef684e
SHA1:	3a3b177e92e7c8802619125e96c341ed4f084466
SHA256:	8c05086b1d23c33390b51616b738aaa3153143cbbb3a63deafd6724167b1ab77
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Antivirus detection for URL or domain

HTML page contains hidden URLs or javascript code

HTML document with suspicious title

HTML document with suspicious name

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

HTML page is missing a favicon

Internet Provider seen in connection with other malware

Classification

Process Tree

System is w10x64native

chrome.exe (PID: 7708 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ref#298409_bill_attached_.htm MD5: 464953824E644F10FFDC9E093FD18F94)

chrome.exe (PID: 8252 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,1683236938277017309,9799927179460367727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:8 MD5: 464953824E644F10FFDC9E093FD18F94)

cleanup

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49618 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60553 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:63304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.229.151:443 -> 192.168.11.20:52802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.229.151:443 -> 192.168.11.20:52803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:61770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:56953 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:53793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:55005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:57327 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: ref#298409_bill_attached_.htm

Initial sample: bill

Source: classification engine

Classification label: mal68.phis.winHTM@42/0@4/8

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ref#298409_bill_attached_.htm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,1683236938277017309,9799927179460367727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,1683236938277017309,9799927179460367727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Network Service Scanning	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ref#298409_bill_attached_.htm	0%	Virustotal		Browse
ref#298409_bill_attached_.htm	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
lmsconline.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://lmsconline.com/fishh/host[18]/admin/js/mp.php?ar=d29yZA==&b64e=WtZpQrRj&b64u=OcZtJBKoL&conf=CeTlZV&call=fwLrYhm	100%	Avira URL Cloud	phishing
https://lmsconline.com/fishh/host[18]/admin/js/mp.php?ar=d29yZA==&b64e=WtZpQrRj&b64u=OcZtJBKoL&conf=CeTlZV&call=fwLrYhm	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
accounts.google.com	142.250.185.77	true	false		high
lmsconline.com	198.54.121.168	true	true	8%, Virustotal, Browse	unknown
www.google.com	142.250.185.228	true	false		high
clients.l.google.com	142.250.185.78	true	false		high
clients2.google.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/ref%23298409_bill_attached_.htm	true		low
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=94.0.4606.61&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://lmsconline.com/fishh/host[18]/admin/js/mp.php?ar=d29yZA==&b64e=WtZpQrRj&b64u=OcZtJBKoL&conf=CeTlZV&call=fwLrYhm	true	4%, Virustotal, Browse Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.77	accounts.google.com	United States	15169	GOOGLEUS	false
142.250.185.78	clients.l.google.com	United States	15169	GOOGLEUS	false
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
198.54.121.168	lmsconline.com	United States	22612	NAMECHEAP-NETUS	true

Private

IP
192.168.11.1
192.168.11.20
127.0.0.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	854623
Start date and time:	2023-04-26 17:38:27 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ref#298409_bill_attached_.htm
Detection:	MAL
Classification:	mal68.phis.winHTM@42/0@4/8
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .htm

Warnings

Exclude process from analysis (whitelisted): CompPkgSrv.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.71, 20.190.159.73, 40.126.31.73, 20.190.159.64, 20.190.159.23, 40.126.31.67, 20.190.159.75, 20.190.159.4, 51.124.57.242, 20.82.207.122, 142.250.185.67, 34.104.35.123, 216.58.212.138, 142.250.185.202, 142.250.185.106, 142.250.186.170, 142.250.184.234, 172.217.18.106, 142.250.185.138, 142.250.185.74, 142.250.186.106, 142.250.185.234, 142.250.186.138, 142.250.74.202, 142.250.186.42, 172.217.16.138, 142.250.181.234, 142.250.185.170, 209.197.3.8, 142.250.186.35, 142.250.186.99, 142.250.181.227
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, www.tm.v6.a.prd.aadg.trafficmanager.net, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, clientservices.googleapis.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, login.msa.msidentity.com, prdv6a.aadg.msidentity.com, wdcpalt.microsoft.com, edgedl.me.gvt1.com, login.live.com, update.googleapis.com, www.gstatic.com, www.tm.lg.prod.aadmsa.trafficmanager.net, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	FAX-8438333.shtm	Get hash	malicious	HTMLPhisher	Browse
	https://zjldkpuzuu642e7e3f8dd17.filedocs.ru/	Get hash	malicious	Unknown	Browse
	sample.html	Get hash	malicious	HTMLPhisher	Browse
	https://ncv.microsoft.com/rrIWDdTZMs	Get hash	malicious	HTMLPhisher	Browse
	https://brightideasfortheweb.com/lsi4b	Get hash	malicious	NetSupport RAT, Phisher	Browse
	https://zjldkpuzuu642e7e3f8dd17.filedocs.ru/	Get hash	malicious	Unknown	Browse
	TriMPFPatch56form20230426.exe	Get hash	malicious	Unknown	Browse
	https://bit.ly/3Zuk1jX	Get hash	malicious	Unknown	Browse
	#Ufe0fAch_Receipt#U2022.htm	Get hash	malicious	HTMLPhisher	Browse
	http://newslettertracker.poweredbyintegra.dk/nyhedsbrev_statstracker.asp?bio=aarhusc&newsletter_ID=555&Code=104&Text=https%3A%2F%2Fwww.paradisbio.dk%2Fmovie_details%2F12051&Url=http%3A%2F%2Fwww.399529.399529.tierramarilla.com/?code=cmt1cmlhbkBhY2Mub3Jn	Get hash	malicious	Unknown	Browse
	https://epiprod.be/Verify/verification/login	Get hash	malicious	Unknown	Browse
	http://www.lobbydesires.com	Get hash	malicious	Unknown	Browse
	Payment_009883467563.htm	Get hash	malicious	HTMLPhisher	Browse
	https://www.listreports.com/tracking/clicks?redirect=https%3A%2F%2Fswandiwe.biakkab.go.id%2F/%2Femail%2Fverification%2Fiyejts%2F%2F%2F%2FZ3JwLWhsLWJvcEBkZW1lLWdyb3VwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse
	Ref04262370056.html	Get hash	malicious	Unknown	Browse
	http://newslettertracker.poweredbyintegra.dk/nyhedsbrev_statstracker.asp?bio=aarhusc&newsletter_ID=555&Code=104&Text=https%3A%2F%2Fwww.paradisbio.dk%2Fmovie_details%2F12051&Url=http%3A%2F%2Fwww.399529.399529.tierramarilla.com/?code=cmt1cmlhbkBhY2Mub3Jn	Get hash	malicious	Unknown	Browse
	https://app.uptics.io:8443/v1/crm/email/track-email-clicks?email_id=622d45b7298161200c1ea14c&url=https://ecolebiblique.com//onedriverjs/index.php	Get hash	malicious	Unknown	Browse
	http://estetik.com.tr/IT0008626299102g	Get hash	malicious	Unknown	Browse
	https://pages.qwilr.com/Sales-Proposal-KaMKPbR1amgx	Get hash	malicious	Unknown	Browse
	https://www.listreports.com/tracking/clicks?redirect=https%3A%2F%2Fswandiwe.biakkab.go.id%2F/%2Femail%2Fverification%2Fel880y%2F%2F%2F%2Fam1nQHN0YXJ0Y2FtcHVzLnB0	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	https://www.pure17go.com.tw/link/6387/?edm_redirect_url=///slimsirishpub.com/wp-admin/user/juo/fghg/dfgd/gins/grins/hgsdhsd/sdhjksd/jstarus@heniff.com&c=E,1,KFajQKetKl4KDSljwDfQukPcdkOQqgApwfe3JhZbGBr0W-2n8d_m4mSZuYJ6aZAOkcJ3XYT2GtOkGGpzzz0xgO71cvoAWC4z2ZtkqlXvPmCRdWWUgsV2SA,,&typo=1	Get hash	malicious	ReCaptcha Phish	Browse	162.213.255.15
	PO_3534272.exe	Get hash	malicious	FormBook	Browse	198.54.117.217
	ThridstageFormBook.exe	Get hash	malicious	FormBook	Browse	199.192.23.224
	https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwivk5Lq_8b-AhWiV6QEHQnHAiwQFnoECAsQAQ&url=http://elanist.com/&usg=AOvVaw3xU27EPOBqpRf_VXU1mKq-	Get hash	malicious	Unknown	Browse	185.61.154.18
	IMG-Scanned_POs#_PSB-17398902,_PSB-18384789.exe	Get hash	malicious	AgentTesla	Browse	162.213.253.35
	ref_CUNA._N#U00b0_4649_M#U00e9xico_RE_Solicitud_de_pedido.exe	Get hash	malicious	FormBook	Browse	199.192.30.147
	IMG_6087721402pdf.exe	Get hash	malicious	AgentTesla	Browse	198.54.116.202
	IFuIF5JyoX.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	198.54.121.225
	IMG_31802_88213pdf.exe	Get hash	malicious	AgentTesla	Browse	198.54.116.202
	GHXCGHXCGJXC.exe	Get hash	malicious	FormBook	Browse	199.192.23.224
	order.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.0.236.127
	PO.4500129697.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	198.54.121.225
	bogmAxuVqu.exe	Get hash	malicious	FormBook	Browse	198.54.117.216
	https://highstoneglobaluniversityus.com/eraclides	Get hash	malicious	HTMLPhisher	Browse	198.54.116.248
	7lxGoG5dSB.exe	Get hash	malicious	FormBook	Browse	198.54.117.211
	z35INV-A66G-B100.exe	Get hash	malicious	FormBook	Browse	199.192.22.198
	PURCHASE_ORDER.exe	Get hash	malicious	AgentTesla	Browse	162.213.253.35
	TnXF6ibqRB.dll	Get hash	malicious	CobaltStrike	Browse	162.255.119.38
	PO_383822.doc	Get hash	malicious	FormBook	Browse	63.250.44.94
	INV736103251059.xll	Get hash	malicious	AgentTesla, zgRAT	Browse	162.0.235.116

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://ncv.microsoft.com/rrIWDdTZMs	Get hash	malicious	HTMLPhisher	Browse	2.19.229.151
	cryptor.exe	Get hash	malicious	Conti	Browse	2.19.229.151
	cryptor.exe	Get hash	malicious	Conti	Browse	2.19.229.151
	cryptor.exe	Get hash	malicious	Unknown	Browse	2.19.229.151
	cryptor.exe	Get hash	malicious	Unknown	Browse	2.19.229.151
	cryptor.exe	Get hash	malicious	Unknown	Browse	2.19.229.151
	http://67.225.140.4	Get hash	malicious	Unknown	Browse	2.19.229.151
	90729.002L-billing Cn 2023.04.html	Get hash	malicious	HTMLPhisher	Browse	2.19.229.151
	Northerntrust-Contract826547826547 #U00e2#U20ac#U00ae#U00e2#U20ac#U00ae#U00e2#U20ac#U00ae3pm.htm	Get hash	malicious	HTMLPhisher	Browse	2.19.229.151
	http://78.47.204.80	Get hash	malicious	Unknown	Browse	2.19.229.151
	https://omnatuor.com/	Get hash	malicious	Unknown	Browse	2.19.229.151
	https://r20.rs6.net/tn.jsp?f=001kD8Zx_knLaqNhPOIRgaa-pZEs0F9lD9ewcqk9S5Lh34DP2SmhKhhEqVcvS0ZE08tOuooZyKU_EAS69oyrTUHWOQZ6u0Kjfco-CSTyVtX_IYVTBS4eonKlLGP441AyQT5uTuR7KHn9uVJt_v90lxyMQ==&__=?x=cXVhbmctdmluaC5sZUBicmVkLmZy	Get hash	malicious	Captcha Phish	Browse	2.19.229.151
	(84) Wells-Fargo Payoff G-T 13 April, 2023 #40580.htm	Get hash	malicious	HTMLPhisher	Browse	2.19.229.151
	http://spo76rt28r.com	Get hash	malicious	Unknown	Browse	2.19.229.151
	Caller02067646.htm	Get hash	malicious	HTMLPhisher	Browse	2.19.229.151
	https://pgazz.pages.dev/	Get hash	malicious	Unknown	Browse	2.19.229.151
	https://fumefresheners.com	Get hash	malicious	Unknown	Browse	2.19.229.151
	https://lcfmp.com.au/lane-cove-medical-team	Get hash	malicious	Unknown	Browse	2.19.229.151
	https://lderkd.clinicaragaalbacete.com/bnx/	Get hash	malicious	HTMLPhisher	Browse	2.19.229.151
	cryptor.exe	Get hash	malicious	Unknown	Browse	2.19.229.151
3b5074b1b5d032e5620f69f9f700ff0e	PO_20230525.vbs	Get hash	malicious	Remcos	Browse	40.113.103.199
	INVOICE-502.vbs	Get hash	malicious	Remcos	Browse	40.113.103.199
	Airwaybill_and_Shipping_Documents.exe	Get hash	malicious	Snake Keylogger, StormKitty	Browse	40.113.103.199
	inquiry_details.scr.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	DOC-BVCG6655-76854345679876542345876.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	SOA.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	Products_Quote_439607108.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	ark.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	BL4053821896.xlsx.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	New_Order_pdf.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	40.113.103.199
	Pedido_2523068.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	DOC-JHhHhHh55-76854345679876542345876.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	00437900113701.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	40.113.103.199
	TT_copy.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	RFQ#985743-EQUIPMENT.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	CPdeoR7z78.exe	Get hash	malicious	MinerDownloader, Laplas Clipper, RedLine, Xmrig	Browse	40.113.103.199
	SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe	Get hash	malicious	RedLine, zgRAT	Browse	40.113.103.199
	Zaplata,jpeg.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199
	INQUIRY_0809309072023.exe	Get hash	malicious	AveMaria, UACMe	Browse	40.113.103.199
	PO2201235_T2-VEYA-Q000054033-T2.exe	Get hash	malicious	AgentTesla	Browse	40.113.103.199

File type:	HTML document, ASCII text, with very long lines (792), with CRLF line terminators
Entropy (8bit):	5.849495247440236
TrID:	HyperText Markup Language (12001/1) 66.65% HyperText Markup Language (6006/1) 33.35%
File name:	ref#298409_bill_attached_.htm
File size:	2372
MD5:	81a2ef8b6871250d3c35aa694eef684e
SHA1:	3a3b177e92e7c8802619125e96c341ed4f084466
SHA256:	8c05086b1d23c33390b51616b738aaa3153143cbbb3a63deafd6724167b1ab77
SHA512:	8c3015e7082e87b3617b6bc8199c89bfe3195e6e475d166345f2e2c4c029c91cb46f94318ecf459694eb4e84621af8780f6332981194e4b0eed3d36826ff9589
SSDEEP:	48:nPiV1z11HOnJXR01Af238kXZEp0vz6OoI1xgcRsYfxcq:kx1un9R0GQZjzh1O+sUxl
TLSH:	E641B8B45E7CEF37A50F0EFBBED08769B2935282D740234A07D4B45B1007AE78638690
File Content Preview:	<html>..<head>..<ol class="QSNUPQz KrrDguWOzN" id="bvmeiEb" title="yMDhFkT" ></ol>..</head>..<body>..<bdo class="dVGsis SKIbHL" id="fMNUDNgX" title="kdDLijodr" ></bdo>....<input class="xAPNwopids" type="hidden" id="OcZtJBKoL" value="aHR0cHM6Ly9sbXNjb25saW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2023 17:42:04.460486889 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.461064100 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.461141109 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.461410999 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.461462021 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.694639921 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.694822073 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.694925070 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.695050001 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.695116997 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.695149899 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.695149899 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.695282936 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.695326090 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.695538044 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.695585012 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.695616007 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.695753098 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.696429968 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.696429968 CEST	49780	443	192.168.11.20	52.165.165.26
Apr 26, 2023 17:42:04.696481943 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.696501970 CEST	443	49780	52.165.165.26	192.168.11.20
Apr 26, 2023 17:42:04.725509882 CEST	49776	80	192.168.11.20	93.184.221.240
Apr 26, 2023 17:42:08.124861956 CEST	80	49674	192.229.221.95	192.168.11.20
Apr 26, 2023 17:42:08.125236034 CEST	49674	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:08.363667011 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.363754988 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:08.363955021 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.365210056 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.365283012 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:08.455955982 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:08.456182957 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.459880114 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.459892988 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:08.460192919 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:08.462925911 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.463131905 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.463143110 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:08.463329077 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.483043909 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:08.483141899 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:08.483380079 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.483547926 CEST	49787	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:08.483561993 CEST	443	49787	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.167610884 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.167694092 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.167917013 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.168061018 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.168096066 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.168226957 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.168350935 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.168493032 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.168637991 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.168695927 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.241398096 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.247575045 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.247591972 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.248167992 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.248378038 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.248728037 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.248891115 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.257309914 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.257798910 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.257808924 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.259330988 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.259521008 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.268594980 CEST	80	49701	192.229.221.95	192.168.11.20
Apr 26, 2023 17:42:14.268837929 CEST	49701	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:14.292699099 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.292699099 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.292728901 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.292756081 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.292756081 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.292783022 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.292839050 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.292859077 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.317600012 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.317756891 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.317852974 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.318020105 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.318656921 CEST	64478	443	192.168.11.20	142.250.185.78
Apr 26, 2023 17:42:14.318669081 CEST	443	64478	142.250.185.78	192.168.11.20
Apr 26, 2023 17:42:14.334467888 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.334703922 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.334733009 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.334753036 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.334934950 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.335844994 CEST	56872	443	192.168.11.20	142.250.185.77
Apr 26, 2023 17:42:14.335875988 CEST	443	56872	142.250.185.77	192.168.11.20
Apr 26, 2023 17:42:14.398478985 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.398525000 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.398730993 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.399108887 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.399139881 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.483674049 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.483928919 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.485094070 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.485115051 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.485630989 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.486762047 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.486792088 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.486807108 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.486931086 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.492846966 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:14.492896080 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:14.493045092 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:14.493240118 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:14.493275881 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:14.507308006 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.507498980 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.507659912 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.508811951 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.508811951 CEST	49618	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:14.508850098 CEST	443	49618	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:14.891060114 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:14.891531944 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:14.891554117 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:14.893729925 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:14.893939018 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:14.895230055 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:14.895323038 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:14.895338058 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:14.895411968 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:14.942538023 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:14.942564011 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:14.990468025 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:15.273087025 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:15.273396969 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:15.273586035 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:15.274291992 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:15.274291992 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:15.274355888 CEST	443	56468	198.54.121.168	192.168.11.20
Apr 26, 2023 17:42:15.274573088 CEST	56468	443	192.168.11.20	198.54.121.168
Apr 26, 2023 17:42:15.603521109 CEST	80	49718	192.229.221.95	192.168.11.20
Apr 26, 2023 17:42:15.603723049 CEST	49718	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:18.543601036 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.543664932 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.543977976 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.544378042 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.544416904 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.622989893 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.623229027 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.624507904 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.624537945 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.625202894 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.626607895 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.626609087 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.626656055 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.626674891 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.645963907 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.646167994 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.646303892 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.646353960 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.646354914 CEST	60553	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:18.646403074 CEST	443	60553	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:18.792617083 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.792706013 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.792742014 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.792779922 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.792931080 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.792931080 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.793123007 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.793174982 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.793191910 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.793210030 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.875330925 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.875811100 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.875824928 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.877072096 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.877245903 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.878624916 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.878707886 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.881547928 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.881867886 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.881879091 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.883160114 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.883331060 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.884437084 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.884520054 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.921880960 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.921895027 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.937623978 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.937643051 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:18.968842983 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:18.984518051 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:28.861421108 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:28.861655951 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:28.861784935 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:28.877963066 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:28.878165960 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:28.878393888 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:30.319164038 CEST	52532	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:30.319164038 CEST	51368	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:42:30.319247007 CEST	443	52532	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:30.319271088 CEST	443	51368	142.250.185.228	192.168.11.20
Apr 26, 2023 17:42:31.574047089 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.574110031 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:31.574405909 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.574903011 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.574942112 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:31.663876057 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:31.664122105 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.665363073 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.665391922 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:31.666014910 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:31.667460918 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.667462111 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.667496920 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:31.667510033 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.688599110 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:31.688698053 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:31.688873053 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.689049959 CEST	50015	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:31.689078093 CEST	443	50015	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.365844965 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.365936041 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.366197109 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.366615057 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.366655111 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.458204031 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.458523989 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.459978104 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.460055113 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.461055040 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.462655067 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.462656021 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.462722063 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.462742090 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.483978987 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.484333992 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:38.484566927 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.484648943 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.484648943 CEST	63304	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:38.484711885 CEST	443	63304	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.490067959 CEST	49753	80	192.168.11.20	104.102.53.110
Apr 26, 2023 17:42:48.490179062 CEST	49751	443	192.168.11.20	104.102.19.44
Apr 26, 2023 17:42:48.490180016 CEST	49752	443	192.168.11.20	104.102.19.44
Apr 26, 2023 17:42:48.490200043 CEST	49754	443	192.168.11.20	35.186.224.25
Apr 26, 2023 17:42:48.499377012 CEST	443	49751	104.102.19.44	192.168.11.20
Apr 26, 2023 17:42:48.499439001 CEST	443	49751	104.102.19.44	192.168.11.20
Apr 26, 2023 17:42:48.499480963 CEST	443	49752	104.102.19.44	192.168.11.20
Apr 26, 2023 17:42:48.499521971 CEST	443	49752	104.102.19.44	192.168.11.20
Apr 26, 2023 17:42:48.499533892 CEST	49751	443	192.168.11.20	104.102.19.44
Apr 26, 2023 17:42:48.499610901 CEST	49751	443	192.168.11.20	104.102.19.44
Apr 26, 2023 17:42:48.499665022 CEST	49752	443	192.168.11.20	104.102.19.44
Apr 26, 2023 17:42:48.499711990 CEST	49752	443	192.168.11.20	104.102.19.44
Apr 26, 2023 17:42:48.500979900 CEST	80	49753	104.102.53.110	192.168.11.20
Apr 26, 2023 17:42:48.501231909 CEST	49753	80	192.168.11.20	104.102.53.110
Apr 26, 2023 17:42:48.506067038 CEST	443	49754	35.186.224.25	192.168.11.20
Apr 26, 2023 17:42:48.506300926 CEST	49754	443	192.168.11.20	35.186.224.25
Apr 26, 2023 17:42:48.616878033 CEST	49757	443	192.168.11.20	2.19.228.7
Apr 26, 2023 17:42:48.616878986 CEST	49755	443	192.168.11.20	2.19.228.7
Apr 26, 2023 17:42:48.616949081 CEST	49756	443	192.168.11.20	2.19.228.7
Apr 26, 2023 17:42:48.617053986 CEST	49758	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:48.625848055 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.625938892 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.626163006 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.626462936 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.626518011 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.703768015 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.704274893 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.705693960 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.705714941 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.706182003 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.707576036 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.707606077 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.707619905 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.707658052 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.728260994 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.728389025 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:48.728602886 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.728734016 CEST	50028	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:42:48.728761911 CEST	443	50028	40.113.103.199	192.168.11.20
Apr 26, 2023 17:42:49.236299992 CEST	80	49761	192.229.221.95	192.168.11.20
Apr 26, 2023 17:42:49.236641884 CEST	49761	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:52.134160995 CEST	49765	443	192.168.11.20	2.23.209.182
Apr 26, 2023 17:42:52.134217024 CEST	49766	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:52.319668055 CEST	49701	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:52.319756985 CEST	49698	443	192.168.11.20	20.189.173.10
Apr 26, 2023 17:42:52.326654911 CEST	80	49701	192.229.221.95	192.168.11.20
Apr 26, 2023 17:42:52.326963902 CEST	49701	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:52.384192944 CEST	80	49768	192.229.221.95	192.168.11.20
Apr 26, 2023 17:42:52.384531975 CEST	49768	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:52.478307009 CEST	443	49698	20.189.173.10	192.168.11.20
Apr 26, 2023 17:42:52.478948116 CEST	49698	443	192.168.11.20	20.189.173.10
Apr 26, 2023 17:42:53.104743004 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.104834080 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.105109930 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.105918884 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.105983019 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.160908937 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.161180019 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.162317991 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.162364960 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.163177013 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.178299904 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.189409971 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.189649105 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.189666986 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.189666986 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.189754963 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.189867973 CEST	52802	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.189904928 CEST	443	52802	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.213452101 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.213548899 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.213833094 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.213969946 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.214019060 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.264446974 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.264695883 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.265635014 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.265686035 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.267566919 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.268389940 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.275789976 CEST	80	49770	192.229.221.95	192.168.11.20
Apr 26, 2023 17:42:53.276124001 CEST	49770	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:53.278950930 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.279185057 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.279442072 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.279515028 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.279515028 CEST	52803	443	192.168.11.20	2.19.229.151
Apr 26, 2023 17:42:53.279558897 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:53.279577017 CEST	443	52803	2.19.229.151	192.168.11.20
Apr 26, 2023 17:42:54.803536892 CEST	49674	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:54.803565979 CEST	49673	80	192.168.11.20	95.101.54.105
Apr 26, 2023 17:42:54.810657978 CEST	80	49674	192.229.221.95	192.168.11.20
Apr 26, 2023 17:42:54.810925007 CEST	49674	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:42:54.812931061 CEST	80	49673	95.101.54.105	192.168.11.20
Apr 26, 2023 17:42:54.813261032 CEST	49673	80	192.168.11.20	95.101.54.105
Apr 26, 2023 17:42:55.613744974 CEST	443	49760	204.79.197.203	192.168.11.20
Apr 26, 2023 17:43:05.288734913 CEST	49718	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:43:05.295772076 CEST	80	49718	192.229.221.95	192.168.11.20
Apr 26, 2023 17:43:05.296050072 CEST	49718	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:43:08.376272917 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.376353025 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:08.376518965 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.376874924 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.376908064 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:08.455275059 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:08.455610037 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.458312988 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.458343029 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:08.458992958 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:08.460325956 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.460367918 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.460386992 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:08.460413933 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.498864889 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:08.499017954 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:08.499155045 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.499289989 CEST	61770	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:08.499308109 CEST	443	61770	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:18.835560083 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.835690022 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.835786104 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.835860968 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.835928917 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.836009979 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.836088896 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.836133957 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.836247921 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.836307049 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.895870924 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.896399021 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.896419048 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.897124052 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.897619009 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.897797108 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.901531935 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.901943922 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.901961088 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.902695894 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.903177977 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.903331041 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:18.940325975 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:18.955931902 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:28.889126062 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:28.889358997 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:28.889535904 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:28.896562099 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:28.896811962 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:43:28.897033930 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:43:38.379942894 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.380069017 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.380292892 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.380748987 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.380819082 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.474750042 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.475114107 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.478059053 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.478135109 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.479290009 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.480684042 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.480684042 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.480756998 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.480773926 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.502466917 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.502861023 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.503067017 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.503067970 CEST	56953	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:43:38.503221989 CEST	443	56953	40.113.103.199	192.168.11.20
Apr 26, 2023 17:43:38.666215897 CEST	49761	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:43:38.673316002 CEST	80	49761	192.229.221.95	192.168.11.20
Apr 26, 2023 17:43:38.673609972 CEST	49761	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:43:42.103267908 CEST	49767	443	192.168.11.20	40.117.96.136
Apr 26, 2023 17:43:42.196182966 CEST	443	49767	40.117.96.136	192.168.11.20
Apr 26, 2023 17:43:42.196381092 CEST	49767	443	192.168.11.20	40.117.96.136
Apr 26, 2023 17:43:42.322001934 CEST	49768	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:43:42.330389977 CEST	80	49768	192.229.221.95	192.168.11.20
Apr 26, 2023 17:43:42.330859900 CEST	49768	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:43:54.711791039 CEST	80	49770	192.229.221.95	192.168.11.20
Apr 26, 2023 17:43:54.712018013 CEST	49770	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:43:55.102906942 CEST	443	49769	13.107.5.88	192.168.11.20
Apr 26, 2023 17:43:55.895308971 CEST	443	49773	2.23.209.187	192.168.11.20
Apr 26, 2023 17:43:55.895351887 CEST	443	49773	2.23.209.187	192.168.11.20
Apr 26, 2023 17:43:55.895464897 CEST	49773	443	192.168.11.20	2.23.209.187
Apr 26, 2023 17:43:55.895464897 CEST	49773	443	192.168.11.20	2.23.209.187
Apr 26, 2023 17:44:08.400686026 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.400747061 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:08.400903940 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.401247025 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.401281118 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:08.491940975 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:08.492182016 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.493551016 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.493582964 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:08.494342089 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:08.496059895 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.496128082 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.496151924 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:08.496325970 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.516604900 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:08.516844988 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:08.516985893 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.517055988 CEST	53793	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:08.517076969 CEST	443	53793	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:13.901839018 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:44:13.901839972 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:44:13.901942015 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:44:13.901958942 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:44:38.394495964 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.394581079 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:38.394916058 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.395330906 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.395392895 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:38.471215963 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:38.471571922 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.474277973 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.474302053 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:38.474894047 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:38.476264954 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.476299047 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.476315022 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:38.476397038 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.496716976 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:38.496871948 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:38.497278929 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.497703075 CEST	55005	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:44:38.497735023 CEST	443	55005	40.113.103.199	192.168.11.20
Apr 26, 2023 17:44:53.036803961 CEST	80	49770	192.229.221.95	192.168.11.20
Apr 26, 2023 17:44:53.037128925 CEST	49770	80	192.168.11.20	192.229.221.95
Apr 26, 2023 17:44:58.908638000 CEST	58043	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:44:58.908662081 CEST	57024	443	192.168.11.20	142.250.185.228
Apr 26, 2023 17:44:58.908710957 CEST	443	58043	142.250.185.228	192.168.11.20
Apr 26, 2023 17:44:58.908730030 CEST	443	57024	142.250.185.228	192.168.11.20
Apr 26, 2023 17:45:08.401329994 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.401392937 CEST	443	57327	40.113.103.199	192.168.11.20
Apr 26, 2023 17:45:08.401689053 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.402115107 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.402152061 CEST	443	57327	40.113.103.199	192.168.11.20
Apr 26, 2023 17:45:08.485384941 CEST	443	57327	40.113.103.199	192.168.11.20
Apr 26, 2023 17:45:08.485625029 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.487221956 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.487250090 CEST	443	57327	40.113.103.199	192.168.11.20
Apr 26, 2023 17:45:08.487885952 CEST	443	57327	40.113.103.199	192.168.11.20
Apr 26, 2023 17:45:08.489336014 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.489379883 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.489398956 CEST	443	57327	40.113.103.199	192.168.11.20
Apr 26, 2023 17:45:08.489453077 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.509891033 CEST	443	57327	40.113.103.199	192.168.11.20
Apr 26, 2023 17:45:08.510000944 CEST	443	57327	40.113.103.199	192.168.11.20
Apr 26, 2023 17:45:08.510247946 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.510309935 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.510309935 CEST	57327	443	192.168.11.20	40.113.103.199
Apr 26, 2023 17:45:08.510323048 CEST	443	57327	40.113.103.199	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2023 17:42:14.157675028 CEST	49357	53	192.168.11.20	1.1.1.1
Apr 26, 2023 17:42:14.158210993 CEST	57714	53	192.168.11.20	1.1.1.1
Apr 26, 2023 17:42:14.166915894 CEST	53	49357	1.1.1.1	192.168.11.20
Apr 26, 2023 17:42:14.167316914 CEST	53	57714	1.1.1.1	192.168.11.20
Apr 26, 2023 17:42:14.198158026 CEST	57715	1900	192.168.11.20	239.255.255.250
Apr 26, 2023 17:42:14.221925974 CEST	53611	53	192.168.11.20	1.1.1.1
Apr 26, 2023 17:42:14.492125988 CEST	53	53611	1.1.1.1	192.168.11.20
Apr 26, 2023 17:42:15.198904037 CEST	57715	1900	192.168.11.20	239.255.255.250
Apr 26, 2023 17:42:16.204884052 CEST	57715	1900	192.168.11.20	239.255.255.250
Apr 26, 2023 17:42:17.209383011 CEST	57715	1900	192.168.11.20	239.255.255.250
Apr 26, 2023 17:42:18.782130957 CEST	61810	53	192.168.11.20	1.1.1.1
Apr 26, 2023 17:42:18.791389942 CEST	53	61810	1.1.1.1	192.168.11.20
Apr 26, 2023 17:43:58.110204935 CEST	138	138	192.168.11.20	192.168.11.255
Apr 26, 2023 17:44:14.169492006 CEST	59517	1900	192.168.11.20	239.255.255.250
Apr 26, 2023 17:44:15.182841063 CEST	59517	1900	192.168.11.20	239.255.255.250
Apr 26, 2023 17:44:16.198398113 CEST	59517	1900	192.168.11.20	239.255.255.250
Apr 26, 2023 17:44:17.201083899 CEST	59517	1900	192.168.11.20	239.255.255.250

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2023 17:42:14.157675028 CEST	192.168.11.20	1.1.1.1	0x1fdb	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2023 17:42:14.158210993 CEST	192.168.11.20	1.1.1.1	0xadfe	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2023 17:42:14.221925974 CEST	192.168.11.20	1.1.1.1	0xbd87	Standard query (0)	lmsconline.com	A (IP address)	IN (0x0001)	false
Apr 26, 2023 17:42:18.782130957 CEST	192.168.11.20	1.1.1.1	0xe495	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2023 17:42:14.166915894 CEST	1.1.1.1	192.168.11.20	0x1fdb	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2023 17:42:14.166915894 CEST	1.1.1.1	192.168.11.20	0x1fdb	No error (0)	clients.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Apr 26, 2023 17:42:14.167316914 CEST	1.1.1.1	192.168.11.20	0xadfe	No error (0)	accounts.google.com		142.250.185.77	A (IP address)	IN (0x0001)	false
Apr 26, 2023 17:42:14.492125988 CEST	1.1.1.1	192.168.11.20	0xbd87	No error (0)	lmsconline.com		198.54.121.168	A (IP address)	IN (0x0001)	false
Apr 26, 2023 17:42:18.791389942 CEST	1.1.1.1	192.168.11.20	0xe495	No error (0)	www.google.com		142.250.185.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

accounts.google.com

clients2.google.com

lmsconline.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49779	52.165.165.26	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:03 UTC	0	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19042.1165/0?CH=685&L=en-US;en-GB&P=&PT=0x30&WUA=10.0.19041.1151&MK=To+Be+Filled+By+O.E.M.&MD=To+Be+Filled+By+O.E.M. HTTP/1.1 Connection: Keep-Alive Accept: / If-None-Match: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32 Host: slscr.update.microsoft.com
2023-04-26 15:42:04 UTC	0	IN	HTTP/1.1 304 Not Modified Cache-Control: no-cache Pragma: no-cache Content-Type: text/html Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: 3ea9d8eb-3c20-4051-8cc9-78e4586ff606 MS-RequestId: aaae88fd-21e9-4560-a558-f6714d114736 MS-CV: Gc/y3Rih4EaUAZ+r.0 X-Microsoft-SLSClientCache: 1440 X-Content-Type-Options: nosniff Date: Wed, 26 Apr 2023 15:42:03 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49780	52.165.165.26	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:04 UTC	0	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19042.1165/0?CH=685&L=en-US;en-GB&P=&PT=0x30&WUA=10.0.19041.1151&MK=To+Be+Filled+By+O.E.M.&MD=To+Be+Filled+By+O.E.M. HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32 Host: slscr.update.microsoft.com
2023-04-26 15:42:04 UTC	1	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: af235dfb-025b-4c23-97ee-8a533b856ff8 MS-RequestId: 6efe9abb-fbc3-4a83-b773-0f9743166c6d MS-CV: PbAjbdIPIU+2Tgd/.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 26 Apr 2023 15:42:04 GMT Connection: close Content-Length: 25457
2023-04-26 15:42:04 UTC	1	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2023-04-26 15:42:04 UTC	17	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	60553	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:18 UTC	35	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 31 4d 58 55 71 7a 41 54 42 6b 57 68 55 33 6a 61 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 31 38 30 36 37 63 65 65 61 66 32 37 61 36 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: 1MXUqzATBkWhU3ja.1Context: 518067ceeaf27a62
2023-04-26 15:42:18 UTC	35	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:42:18 UTC	35	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 31 4d 58 55 71 7a 41 54 42 6b 57 68 55 33 6a 61 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 31 38 30 36 37 63 65 65 61 66 32 37 61 36 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: 1MXUqzATBkWhU3ja.2Context: 518067ceeaf27a62<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:42:18 UTC	36	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 31 4d 58 55 71 7a 41 54 42 6b 57 68 55 33 6a 61 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 31 38 30 36 37 63 65 65 61 66 32 37 61 36 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: 1MXUqzATBkWhU3ja.3Context: 518067ceeaf27a62<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:42:18 UTC	36	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:42:18 UTC	36	IN	Data Raw: 4d 53 2d 43 56 3a 20 52 57 78 5a 53 33 74 6d 6f 6b 61 64 61 59 69 2b 56 53 2b 59 37 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: RWxZS3tmokadaYi+VS+Y7w.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	50015	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:31 UTC	36	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 4a 39 51 70 49 71 66 70 34 6b 75 48 6c 52 33 6b 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 31 35 61 65 66 62 63 31 66 36 39 61 34 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: J9QpIqfp4kuHlR3k.1Context: c115aefbc1f69a42
2023-04-26 15:42:31 UTC	36	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:42:31 UTC	37	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 4a 39 51 70 49 71 66 70 34 6b 75 48 6c 52 33 6b 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 31 35 61 65 66 62 63 31 66 36 39 61 34 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: J9QpIqfp4kuHlR3k.2Context: c115aefbc1f69a42<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:42:31 UTC	38	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4a 39 51 70 49 71 66 70 34 6b 75 48 6c 52 33 6b 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 31 35 61 65 66 62 63 31 66 36 39 61 34 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: J9QpIqfp4kuHlR3k.3Context: c115aefbc1f69a42<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:42:31 UTC	38	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:42:31 UTC	38	IN	Data Raw: 4d 53 2d 43 56 3a 20 50 35 55 6e 39 33 6f 56 30 6b 69 55 57 36 47 71 43 33 41 50 55 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: P5Un93oV0kiUW6GqC3APUg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	63304	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:38 UTC	38	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 4b 41 39 71 69 43 42 50 4e 30 36 4b 43 66 66 58 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 31 33 62 31 66 63 61 39 37 36 31 32 39 63 61 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: KA9qiCBPN06KCffX.1Context: 213b1fca976129ca
2023-04-26 15:42:38 UTC	38	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:42:38 UTC	38	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 4b 41 39 71 69 43 42 50 4e 30 36 4b 43 66 66 58 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 31 33 62 31 66 63 61 39 37 36 31 32 39 63 61 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: KA9qiCBPN06KCffX.2Context: 213b1fca976129ca<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:42:38 UTC	39	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4b 41 39 71 69 43 42 50 4e 30 36 4b 43 66 66 58 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 31 33 62 31 66 63 61 39 37 36 31 32 39 63 61 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: KA9qiCBPN06KCffX.3Context: 213b1fca976129ca<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:42:38 UTC	40	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:42:38 UTC	40	IN	Data Raw: 4d 53 2d 43 56 3a 20 55 74 50 69 6a 56 77 41 65 45 65 78 45 54 4b 64 46 57 77 6c 42 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: UtPijVwAeEexETKdFWwlBw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	50028	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:48 UTC	40	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 75 31 73 69 35 70 54 56 71 30 2b 7a 2f 4b 52 62 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 31 66 64 66 30 36 66 66 33 61 38 63 65 66 61 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: u1si5pTVq0+z/KRb.1Context: e1fdf06ff3a8cefa
2023-04-26 15:42:48 UTC	40	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:42:48 UTC	40	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 75 31 73 69 35 70 54 56 71 30 2b 7a 2f 4b 52 62 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 31 66 64 66 30 36 66 66 33 61 38 63 65 66 61 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: u1si5pTVq0+z/KRb.2Context: e1fdf06ff3a8cefa<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:42:48 UTC	41	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 75 31 73 69 35 70 54 56 71 30 2b 7a 2f 4b 52 62 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 31 66 64 66 30 36 66 66 33 61 38 63 65 66 61 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: u1si5pTVq0+z/KRb.3Context: e1fdf06ff3a8cefa<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:42:48 UTC	41	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:42:48 UTC	41	IN	Data Raw: 4d 53 2d 43 56 3a 20 65 69 2b 4b 76 59 43 48 78 55 6d 67 4f 67 77 35 76 4b 41 41 5a 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: ei+KvYCHxUmgOgw5vKAAZg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.11.20	52802	2.19.229.151	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:53 UTC	41	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-04-26 15:42:53 UTC	41	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-MSEdge-Ref: Ref A: 65032144BB954983ABA770DA8C321B97 Ref B: LON04EDGE1010 Ref C: 2023-04-24T07:05:30Z Cache-Control: public, max-age=55396 Date: Wed, 26 Apr 2023 15:42:53 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.11.20	52803	2.19.229.151	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:53 UTC	42	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-04-26 15:42:53 UTC	42	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0WjMqYwAAAABjF7l0wOIgQK+R1dOMvnGMTE9OMjFFREdFMTgxNABjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=205762 Date: Wed, 26 Apr 2023 15:42:53 GMT Content-Length: 55 Connection: close X-CID: 2
2023-04-26 15:42:53 UTC	43	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.11.20	61770	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:43:08 UTC	43	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 38 58 41 53 74 48 78 4f 71 55 71 79 45 51 35 69 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 64 63 62 34 32 39 35 39 66 35 63 37 66 66 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: 8XAStHxOqUqyEQ5i.1Context: adcb42959f5c7ff3
2023-04-26 15:43:08 UTC	43	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:43:08 UTC	43	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 38 58 41 53 74 48 78 4f 71 55 71 79 45 51 35 69 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 64 63 62 34 32 39 35 39 66 35 63 37 66 66 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: 8XAStHxOqUqyEQ5i.2Context: adcb42959f5c7ff3<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:43:08 UTC	44	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 38 58 41 53 74 48 78 4f 71 55 71 79 45 51 35 69 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 64 63 62 34 32 39 35 39 66 35 63 37 66 66 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: 8XAStHxOqUqyEQ5i.3Context: adcb42959f5c7ff3<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:43:08 UTC	44	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:43:08 UTC	44	IN	Data Raw: 4d 53 2d 43 56 3a 20 66 44 78 51 6b 42 2f 4e 50 6b 2b 31 58 31 4c 78 51 34 56 51 47 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: fDxQkB/NPk+1X1LxQ4VQGQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.11.20	56953	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:43:38 UTC	44	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 79 52 6b 4d 6e 4c 62 34 69 6b 53 71 2b 49 50 47 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 30 65 37 63 63 39 34 30 31 33 37 34 66 64 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: yRkMnLb4ikSq+IPG.1Context: a10e7cc9401374fd
2023-04-26 15:43:38 UTC	45	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:43:38 UTC	45	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 79 52 6b 4d 6e 4c 62 34 69 6b 53 71 2b 49 50 47 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 30 65 37 63 63 39 34 30 31 33 37 34 66 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: yRkMnLb4ikSq+IPG.2Context: a10e7cc9401374fd<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:43:38 UTC	46	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 79 52 6b 4d 6e 4c 62 34 69 6b 53 71 2b 49 50 47 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 30 65 37 63 63 39 34 30 31 33 37 34 66 64 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: yRkMnLb4ikSq+IPG.3Context: a10e7cc9401374fd<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:43:38 UTC	46	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:43:38 UTC	46	IN	Data Raw: 4d 53 2d 43 56 3a 20 4e 56 4f 64 6e 31 57 55 34 45 4b 65 67 7a 50 67 64 7a 65 35 2b 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: NVOdn1WU4EKegzPgdze5+g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.11.20	53793	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:44:08 UTC	46	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 74 61 37 68 76 37 71 55 34 30 6d 62 41 62 42 54 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 35 61 35 34 36 37 62 64 35 62 30 61 65 37 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: ta7hv7qU40mbAbBT.1Context: 65a5467bd5b0ae7c
2023-04-26 15:44:08 UTC	46	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:44:08 UTC	46	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 74 61 37 68 76 37 71 55 34 30 6d 62 41 62 42 54 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 35 61 35 34 36 37 62 64 35 62 30 61 65 37 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: ta7hv7qU40mbAbBT.2Context: 65a5467bd5b0ae7c<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:44:08 UTC	47	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 74 61 37 68 76 37 71 55 34 30 6d 62 41 62 42 54 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 35 61 35 34 36 37 62 64 35 62 30 61 65 37 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: ta7hv7qU40mbAbBT.3Context: 65a5467bd5b0ae7c<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:44:08 UTC	48	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:44:08 UTC	48	IN	Data Raw: 4d 53 2d 43 56 3a 20 39 42 78 77 38 44 41 76 70 45 4f 4b 6f 6d 6e 79 4b 4a 52 4c 6a 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 9Bxw8DAvpEOKomnyKJRLjw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.11.20	55005	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:44:38 UTC	48	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 79 37 4a 2f 4a 67 55 68 69 45 65 6f 76 36 45 52 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 36 35 61 30 38 38 65 39 35 35 30 39 37 66 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: y7J/JgUhiEeov6ER.1Context: a65a088e955097fc
2023-04-26 15:44:38 UTC	48	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:44:38 UTC	48	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 79 37 4a 2f 4a 67 55 68 69 45 65 6f 76 36 45 52 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 36 35 61 30 38 38 65 39 35 35 30 39 37 66 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: y7J/JgUhiEeov6ER.2Context: a65a088e955097fc<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:44:38 UTC	49	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 79 37 4a 2f 4a 67 55 68 69 45 65 6f 76 36 45 52 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 36 35 61 30 38 38 65 39 35 35 30 39 37 66 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: y7J/JgUhiEeov6ER.3Context: a65a088e955097fc<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:44:38 UTC	49	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:44:38 UTC	49	IN	Data Raw: 4d 53 2d 43 56 3a 20 47 57 55 73 77 4c 57 78 71 45 65 6c 71 37 76 33 7a 6d 32 6d 47 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: GWUswLWxqEelq7v3zm2mGA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49787	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:08 UTC	26	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 2f 4b 32 32 74 38 6a 6b 6e 55 71 78 79 41 72 4e 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 31 35 64 36 32 38 32 66 63 66 61 37 62 61 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: /K22t8jknUqxyArN.1Context: 315d6282fcfa7baf
2023-04-26 15:42:08 UTC	26	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:42:08 UTC	26	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 2f 4b 32 32 74 38 6a 6b 6e 55 71 78 79 41 72 4e 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 31 35 64 36 32 38 32 66 63 66 61 37 62 61 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: /K22t8jknUqxyArN.2Context: 315d6282fcfa7baf<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:42:08 UTC	27	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 2f 4b 32 32 74 38 6a 6b 6e 55 71 78 79 41 72 4e 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 31 35 64 36 32 38 32 66 63 66 61 37 62 61 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: /K22t8jknUqxyArN.3Context: 315d6282fcfa7baf<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:42:08 UTC	28	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:42:08 UTC	28	IN	Data Raw: 4d 53 2d 43 56 3a 20 75 58 5a 65 47 52 46 53 7a 6b 32 77 68 56 54 6b 79 62 61 57 74 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: uXZeGRFSzk2whVTkybaWtA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.11.20	57327	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:45:08 UTC	49	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 77 62 37 65 4d 62 4d 77 4d 30 2b 77 63 73 2b 63 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 30 39 63 37 35 36 36 65 64 36 34 64 30 66 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: wb7eMbMwM0+wcs+c.1Context: 409c7566ed64d0f5
2023-04-26 15:45:08 UTC	50	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:45:08 UTC	50	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 77 62 37 65 4d 62 4d 77 4d 30 2b 77 63 73 2b 63 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 30 39 63 37 35 36 36 65 64 36 34 64 30 66 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: wb7eMbMwM0+wcs+c.2Context: 409c7566ed64d0f5<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:45:08 UTC	51	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 77 62 37 65 4d 62 4d 77 4d 30 2b 77 63 73 2b 63 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 30 39 63 37 35 36 36 65 64 36 34 64 30 66 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: wb7eMbMwM0+wcs+c.3Context: 409c7566ed64d0f5<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:45:08 UTC	51	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:45:08 UTC	51	IN	Data Raw: 4d 53 2d 43 56 3a 20 71 36 51 37 4d 47 58 73 44 55 53 62 4c 52 38 42 6a 2f 31 4e 77 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: q6Q7MGXsDUSbLR8Bj/1NwQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	56872	142.250.185.77	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:14 UTC	28	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979
2023-04-26 15:42:14 UTC	29	OUT	Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	64478	142.250.185.78	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:14 UTC	28	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=94.0.4606.61&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-94.0.4606.61 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	142.250.185.78	443	192.168.11.20	64478	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:14 UTC	29	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-CLi405ydZPiTIPolAv-G7Q' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 26 Apr 2023 15:42:14 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5959 X-Daystart: 31334 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-04-26 15:42:14 UTC	30	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 39 35 39 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 33 31 33 33 34 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5959" elapsed_seconds="31334"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-04-26 15:42:14 UTC	30	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-04-26 15:42:14 UTC	30	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	142.250.185.77	443	192.168.11.20	56872	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:14 UTC	30	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 26 Apr 2023 15:42:14 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version= Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-wqTEOO8G5QOc3QuuSIOfsg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-04-26 15:42:14 UTC	32	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-04-26 15:42:14 UTC	32	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49618	40.113.103.199	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:14 UTC	32	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 31 37 0d 0a 4d 53 2d 43 56 3a 20 77 68 64 31 4e 6f 72 75 36 30 69 54 73 44 76 39 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 38 62 34 65 31 66 38 61 38 62 66 61 64 34 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 317MS-CV: whd1Noru60iTsDv9.1Context: 48b4e1f8a8bfad4f
2023-04-26 15:42:14 UTC	32	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 32 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 33 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 54 6f 20 42 65 20 46 69 6c 6c 65 64 20 42 79 20 4f 2e 45 2e 4d 2e 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19042</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>3</deviceType><deviceName>To Be Filled By O.E.M.</deviceName><followRetry>true</followRetry></agent></co
2023-04-26 15:42:14 UTC	32	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 33 0d 0a 4d 53 2d 43 56 3a 20 77 68 64 31 4e 6f 72 75 36 30 69 54 73 44 76 39 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 38 62 34 65 31 66 38 61 38 62 66 61 64 34 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 77 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 74 55 51 6a 33 6e 50 41 75 6a 39 6b 5a 32 72 47 6c 72 6f 71 43 75 2f 65 71 44 2b 34 78 37 6d 68 47 46 48 38 49 73 76 44 6a 63 76 6a 41 59 66 33 2b 63 71 6d 62 5a 46 70 65 41 63 76 36 30 57 57 37 77 6e 4e 4b 30 35 72 34 31 66 74 47 56 79 4e 73 77 58 6c 34 79 56 4a 59 55 47 43 35 6b 73 7a 68 64 54 5a 54 53 4e 56 4d 69 46 54 Data Ascii: ATH 2 CON\DEVICE 1053MS-CV: whd1Noru60iTsDv9.2Context: 48b4e1f8a8bfad4f<device><compact-ticket>t=EwCwAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbtUQj3nPAuj9kZ2rGlroqCu/eqD+4x7mhGFH8IsvDjcvjAYf3+cqmbZFpeAcv60WW7wnNK05r41ftGVyNswXl4yVJYUGC5kszhdTZTSNVMiFT
2023-04-26 15:42:14 UTC	33	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 31 30 34 34 34 37 39 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 77 68 64 31 4e 6f 72 75 36 30 69 54 73 44 76 39 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 38 62 34 65 31 66 38 61 38 62 66 61 64 34 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 1044479 197MS-CV: whd1Noru60iTsDv9.3Context: 48b4e1f8a8bfad4f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2023-04-26 15:42:14 UTC	34	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2023-04-26 15:42:14 UTC	34	IN	Data Raw: 4d 53 2d 43 56 3a 20 4d 76 4c 71 2f 73 48 54 6f 6b 36 45 33 31 2f 6d 36 67 68 36 76 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: MvLq/sHTok6E31/m6gh6vQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	56468	198.54.121.168	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:14 UTC	34	OUT	GET /fishh/host[18]/admin/js/mp.php?ar=d29yZA==&b64e=WtZpQrRj&b64u=OcZtJBKoL&conf=CeTlZV&call=fwLrYhm HTTP/1.1 Host: lmsconline.com Connection: keep-alive sec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	198.54.121.168	443	192.168.11.20	56468	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-26 15:42:15 UTC	34	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.4.33 content-type: text/html; charset=UTF-8 content-length: 0 date: Wed, 26 Apr 2023 15:42:15 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload; referrer-policy: no-referrer-when-downgrade connection: close

Target ID:	0
Start time:	17:42:13
Start date:	26/04/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ref#298409_bill_attached_.htm
Imagebase:	0x7ff60cad0000
File size:	2509656 bytes
MD5 hash:	464953824E644F10FFDC9E093FD18F94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	1
Start time:	17:42:13
Start date:	26/04/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,1683236938277017309,9799927179460367727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:8
Imagebase:	0x7ff60cad0000
File size:	2509656 bytes
MD5 hash:	464953824E644F10FFDC9E093FD18F94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: ref#298409_bill_attached_.htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/ref%23298409_bill_attached_.htm	HTTP Parser: No favicon

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19042.1165/0?CH=685&L=en-US;en-GB&P=&PT=0x30&WUA=10.0.19041.1151&MK=To+Be+Filled+By+O.E.M.&MD=To+Be+Filled+By+O.E.M. HTTP/1.1Connection: Keep-AliveAccept: /If-None-Match: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440"User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19042.1165/0?CH=685&L=en-US;en-GB&P=&PT=0x30&WUA=10.0.19041.1151&MK=To+Be+Filled+By+O.E.M.&MD=To+Be+Filled+By+O.E.M. HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=94.0.4606.61&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-94.0.4606.61Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fishh/host[18]/admin/js/mp.php?ar=d29yZA==&b64e=WtZpQrRj&b64u=OcZtJBKoL&conf=CeTlZV&call=fwLrYhm HTTP/1.1Host: lmsconline.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	TCP traffic: 192.168.11.20:57715 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:57715 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:57715 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:57715 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59517 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59517 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59517 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59517 -> 239.255.255.250:1900

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57327
Source: unknown	Network traffic detected: HTTP traffic on port 55005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49618
Source: unknown	Network traffic detected: HTTP traffic on port 64478 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 56468 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57024
Source: unknown	Network traffic detected: HTTP traffic on port 53793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55005
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52532
Source: unknown	Network traffic detected: HTTP traffic on port 52532 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60553
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58043
Source: unknown	Network traffic detected: HTTP traffic on port 61770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64478
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63304
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 60553 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 56953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53793
Source: unknown	Network traffic detected: HTTP traffic on port 57327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56468
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56872
Source: unknown	Network traffic detected: HTTP traffic on port 57024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61770
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56872 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199

Description:	Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
Tactics:	Discovery
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ref#298409_bill_attached_.htm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: chrome.exePID: 7708, Parent PID: 9000

General

Chronological Activities

Analysis Process: chrome.exePID: 8252, Parent PID: 7708

General

Chronological Activities

Disassembly

Windows Analysis Report
ref#298409_bill_attached_.htm