Edit tour

Windows Analysis Report
https://k-aus1.clicktale.net/v2/recording

Overview

General Information

Sample URL:	https://k-aus1.clicktale.net/v2/recording
Analysis ID:	882649
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w7x64

chrome.exe (PID: 3068 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 6ACAE527E744C80997B25EF2A0485D5E)

chrome.exe (PID: 1136 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1118053712114920099,6350462283654842560,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1460 /prefetch:8 MD5: 6ACAE527E744C80997B25EF2A0485D5E)

chrome.exe (PID: 2132 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://k-aus1.clicktale.net/v2/recording MD5: 6ACAE527E744C80997B25EF2A0485D5E)

cleanup

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=WP.289365

Source: classification engine

Classification label: clean0.win@28/0@3/6

Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1118053712114920099,6350462283654842560,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1460 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://k-aus1.clicktale.net/v2/recording
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1118053712114920099,6350462283654842560,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1460 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://k-aus1.clicktale.net/v2/recording	0%	Virustotal		Browse
https://k-aus1.clicktale.net/v2/recording	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
accounts.google.com	142.250.203.109	true	false	high
k.bf.contentsquare.net	34.226.225.250	true	false	unknown
clients.l.google.com	142.250.203.110	true	false	high
k-aus1.clicktale.net	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://k-aus1.clicktale.net/favicon.ico	false	high
https://k-aus1.clicktale.net/v2/recording	false	high
https://k-aus1.clicktale.net/v2/recording	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
34.226.225.250	k.bf.contentsquare.net	United States	14618	AMAZON-AESUS	false
142.250.203.110	clients.l.google.com	United States	15169	GOOGLEUS	false
142.250.203.109	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.30
192.168.2.255

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882649
Start date and time:	2023-06-06 16:20:36 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://k-aus1.clicktale.net/v2/recording
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@28/0@3/6
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): vga.dll
Excluded IPs from analysis (whitelisted): 142.250.203.99, 34.104.35.123
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, update.googleapis.com, clientservices.googleapis.com, www.gstatic.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Total Packets: 52
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 16:21:40.709554911 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:40.709645033 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:40.709723949 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:40.709953070 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:40.710009098 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:40.710074902 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:40.711288929 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:40.711361885 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:40.711446047 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:40.711970091 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:40.712001085 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:40.712558985 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:40.712590933 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:40.712800026 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:40.712847948 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:40.723643064 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:40.723711014 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:40.723781109 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:40.724087954 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:40.724107027 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:40.819375992 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:40.830795050 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:40.834952116 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:40.834983110 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:40.835252047 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:40.835285902 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:40.836750984 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:40.836858988 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:40.839375973 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:40.839497089 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:40.839826107 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:40.839912891 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:41.131778002 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:41.132194996 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:41.132220984 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:41.146344900 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:41.146625996 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:41.163259029 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:41.163325071 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:41.170972109 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.171578884 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.171612978 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.172295094 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:41.175110102 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.175256968 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.178661108 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.178914070 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.178931952 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.178961992 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.182266951 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:41.182374954 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:41.182404995 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:41.182519913 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:41.182584047 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:41.183712959 CEST	49182	443	192.168.2.22	142.250.203.109
Jun 6, 2023 16:21:41.183748960 CEST	443	49182	142.250.203.109	192.168.2.22
Jun 6, 2023 16:21:41.197390079 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:41.197496891 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:41.197516918 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:41.197671890 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:41.197736025 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:41.207921982 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.228831053 CEST	49185	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:41.228873968 CEST	443	49185	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:41.242732048 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.242767096 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.244501114 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.244594097 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.246037006 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.246206999 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.325134993 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.325239897 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.326663971 CEST	49184	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.326689959 CEST	443	49184	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.456291914 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.456381083 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.500989914 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.544306993 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.646789074 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.646903038 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:41.646984100 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.649342060 CEST	49183	443	192.168.2.22	34.226.225.250
Jun 6, 2023 16:21:41.649375916 CEST	443	49183	34.226.225.250	192.168.2.22
Jun 6, 2023 16:21:42.819005013 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:42.819063902 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:42.819133997 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:42.917294025 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:42.917357922 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:42.967751980 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:42.969676018 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:42.969733953 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:42.970674038 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:42.974719048 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:42.974921942 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:42.974936008 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:42.975111008 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:43.017637968 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:43.017858982 CEST	443	49188	142.250.203.110	192.168.2.22
Jun 6, 2023 16:21:43.017858028 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:43.018143892 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:43.020868063 CEST	49188	443	192.168.2.22	142.250.203.110
Jun 6, 2023 16:21:43.020917892 CEST	443	49188	142.250.203.110	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 16:21:39.470436096 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:39.471460104 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:39.486030102 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:40.220053911 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:40.222168922 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:40.235038996 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:40.624327898 CEST	59241	53	192.168.2.22	8.8.8.8
Jun 6, 2023 16:21:40.627326965 CEST	55244	53	192.168.2.22	8.8.8.8
Jun 6, 2023 16:21:40.628649950 CEST	53958	53	192.168.2.22	8.8.8.8
Jun 6, 2023 16:21:40.655791998 CEST	53	55244	8.8.8.8	192.168.2.22
Jun 6, 2023 16:21:40.658235073 CEST	53	59241	8.8.8.8	192.168.2.22
Jun 6, 2023 16:21:40.661572933 CEST	53	53958	8.8.8.8	192.168.2.22
Jun 6, 2023 16:21:40.970170021 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:40.970228910 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:40.985177994 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:52.457500935 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:52.604394913 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:52.713583946 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:52.807429075 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:52.808124065 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:52.823040962 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:53.212192059 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:53.369019032 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:53.478223085 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:53.571768999 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:53.571847916 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:53.587398052 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:53.977457047 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:54.133466959 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:54.242646933 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:54.336272955 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:54.339409113 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:54.351870060 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:54.743261099 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:54.747788906 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:54.891016006 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:55.506318092 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:55.506474018 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:55.646778107 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:56.270914078 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:56.270967007 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:21:56.397622108 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:22:20.893785000 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:22:21.656022072 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:22:22.420562983 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:22:37.472583055 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:22:38.235022068 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:22:38.985372066 CEST	137	137	192.168.2.22	192.168.2.255
Jun 6, 2023 16:22:49.763418913 CEST	138	138	192.168.2.22	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 6, 2023 16:21:40.624327898 CEST	192.168.2.22	8.8.8.8	0x3b2b	Standard query (0)	k-aus1.clicktale.net	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.627326965 CEST	192.168.2.22	8.8.8.8	0x1e11	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.628649950 CEST	192.168.2.22	8.8.8.8	0x91cf	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 6, 2023 16:21:40.655791998 CEST	8.8.8.8	192.168.2.22	0x1e11	No error (0)	accounts.google.com		142.250.203.109	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.658235073 CEST	8.8.8.8	192.168.2.22	0x3b2b	No error (0)	k-aus1.clicktale.net	k.bf.contentsquare.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2023 16:21:40.658235073 CEST	8.8.8.8	192.168.2.22	0x3b2b	No error (0)	k.bf.contentsquare.net		34.226.225.250	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.658235073 CEST	8.8.8.8	192.168.2.22	0x3b2b	No error (0)	k.bf.contentsquare.net		54.84.25.160	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.658235073 CEST	8.8.8.8	192.168.2.22	0x3b2b	No error (0)	k.bf.contentsquare.net		18.233.209.35	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.658235073 CEST	8.8.8.8	192.168.2.22	0x3b2b	No error (0)	k.bf.contentsquare.net		35.168.65.224	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.658235073 CEST	8.8.8.8	192.168.2.22	0x3b2b	No error (0)	k.bf.contentsquare.net		34.198.168.222	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.658235073 CEST	8.8.8.8	192.168.2.22	0x3b2b	No error (0)	k.bf.contentsquare.net		54.84.57.151	A (IP address)	IN (0x0001)	false
Jun 6, 2023 16:21:40.661572933 CEST	8.8.8.8	192.168.2.22	0x91cf	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2023 16:21:40.661572933 CEST	8.8.8.8	192.168.2.22	0x91cf	No error (0)	clients.l.google.com		142.250.203.110	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

k-aus1.clicktale.net

https:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49182	142.250.203.109	443	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-06 14:21:41 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=WP.289365
2023-06-06 14:21:41 UTC	0	OUT	Data Raw: 20 Data Ascii:
2023-06-06 14:21:41 UTC	1	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 06 Jun 2023 14:21:41 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-swmuhdpvYC-_kMajEdWrRA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-06-06 14:21:41 UTC	3	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-06-06 14:21:41 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49185	142.250.203.110	443	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-06 14:21:41 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfm X-Goog-Update-Updater: chromecrx-84.0.4147.135 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-06 14:21:41 UTC	3	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-V8nXamuTQf-Wn3rGvQGwYw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 06 Jun 2023 14:21:41 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6000 X-Daystart: 26501 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-06-06 14:21:41 UTC	4	IN	Data Raw: 33 31 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 30 30 30 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 36 35 30 31 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 31a<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6000" elapsed_seconds="26501"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-06-06 14:21:41 UTC	4	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 70 6b 65 64 63 6a 6b 64 65 66 67 70 64 65 6c 70 62 63 6d 62 6d 65 6f 6d 63 6a 62 65 65 6d 66 6d 22 20 73 74 61 74 75 73 3d 22 65 72 72 6f 72 2d 75 6e 6b 6e 6f 77 6e Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app><app appid="pkedcjkdefgpdelpbcmbmeomcjbeemfm" status="error-unknown
2023-06-06 14:21:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49184	34.226.225.250	443	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-06 14:21:41 UTC	1	OUT	GET /v2/recording HTTP/1.1 Host: k-aus1.clicktale.net Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-06 14:21:41 UTC	5	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 06 Jun 2023 14:21:41 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 57 Connection: close Allow: OPTIONS, POST x-path-label: unhandled
2023-06-06 14:21:41 UTC	5	IN	HTTP method not allowed, supported methods: OPTIONS, POST

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49183	34.226.225.250	443	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-06 14:21:41 UTC	5	OUT	GET /favicon.ico HTTP/1.1 Host: k-aus1.clicktale.net Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://k-aus1.clicktale.net/v2/recording Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-06 14:21:41 UTC	5	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Jun 2023 14:21:41 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 42 Connection: close x-path-label: unhandled
2023-06-06 14:21:41 UTC	5	IN	Data Raw: 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 2e Data Ascii: The requested resource could not be found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49188	142.250.203.110	443	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-06 14:21:42 UTC	5	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: bg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfm X-Goog-Update-Updater: chromecrx-84.0.4147.135 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-06 14:21:43 UTC	6	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-V2dbJkkvHHnxhfPsYm9ucg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 06 Jun 2023 14:21:42 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6000 X-Daystart: 26502 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-06-06 14:21:43 UTC	7	IN	Data Raw: 33 31 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 30 30 30 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 36 35 30 32 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 31a<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6000" elapsed_seconds="26502"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-06-06 14:21:43 UTC	7	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 70 6b 65 64 63 6a 6b 64 65 66 67 70 64 65 6c 70 62 63 6d 62 6d 65 6f 6d 63 6a 62 65 65 6d 66 6d 22 20 73 74 61 74 75 73 3d 22 65 72 72 6f 72 2d 75 6e 6b 6e 6f 77 6e Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app><app appid="pkedcjkdefgpdelpbcmbmeomcjbeemfm" status="error-unknown
2023-06-06 14:21:43 UTC	8	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	16:22:05
Start date:	06/06/2023
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x13f290000
File size:	1820656 bytes
MD5 hash:	6ACAE527E744C80997B25EF2A0485D5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	16:22:06
Start date:	06/06/2023
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1118053712114920099,6350462283654842560,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1460 /prefetch:8
Imagebase:	0x13f290000
File size:	1820656 bytes
MD5 hash:	6ACAE527E744C80997B25EF2A0485D5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	16:22:09
Start date:	06/06/2023
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://k-aus1.clicktale.net/v2/recording
Imagebase:	0x13f290000
File size:	1820656 bytes
MD5 hash:	6ACAE527E744C80997B25EF2A0485D5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Source: https://k-aus1.clicktale.net/v2/recording	HTTP Parser: No favicon
Source: https://k-aus1.clicktale.net/v2/recording	HTTP Parser: No favicon

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v2/recording HTTP/1.1Host: k-aus1.clicktale.netConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: k-aus1.clicktale.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://k-aus1.clicktale.net/v2/recordingAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: bgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://k-aus1.clicktale.net/v2/recording

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 3068, Parent PID: 2976

General

File Activities

File Opened

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

COM Activities

WMI Operations

Process Activities

Process Created

Process Terminated

Thread Activities

Thread Terminated

Windows Analysis Report
https://k-aus1.clicktale.net/v2/recording