Edit tour

Windows Analysis Report
https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe

Overview

General Information

Sample URL:	https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe
Analysis ID:	1521594
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected non-DNS traffic on DNS port

Detected suspicious crossdomain redirect

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5208 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1928,i,12913085829763271358,17456350680023490058,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4832 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:64569 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.1.246:443 -> 192.168.2.6:64572 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.6:64567 -> 1.1.1.1:53

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: github.com to https://objects.githubusercontent.com/github-production-release-asset-2e65be/184456251/3387acd8-f5b0-466a-b42c-efc4d40c0b47?x-amz-algorithm=aws4-hmac-sha256&x-amz-credential=releaseassetproduction%2f20240928%2fus-east-1%2fs3%2faws4_request&x-amz-date=20240928t225531z&x-amz-expires=300&x-amz-signature=1f9c333d81f65fad8e4658cdb6a977d6ec1e14e59e45e3acd09d17e0da62b1b1&x-amz-signedheaders=host&response-content-disposition=attachment%3b%20filename%3dpowertoysusersetup-0.84.1-x64.exe&response-content-type=application%2foctet-stream

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253

Source: global traffic	HTTP traffic detected: GET /microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe HTTP/1.1Host: github.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/184456251/3387acd8-f5b0-466a-b42c-efc4d40c0b47?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240928T225531Z&X-Amz-Expires=300&X-Amz-Signature=1f9c333d81f65fad8e4658cdb6a977d6ec1e14e59e45e3acd09d17e0da62b1b1&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPowerToysUserSetup-0.84.1-x64.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64573 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64573
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64572
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64569 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64572 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64569
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:64569 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.7.1.246:443 -> 192.168.2.6:64572 version: TLS 1.2

Source: d59d40bb-a548-4878-b5da-1c288ed7e94c.tmp.0.dr	Static PE information: No import functions for PE file found
Source: Unconfirmed 180121.crdownload.0.dr	Static PE information: No import functions for PE file found
Source: chromecache_103.2.dr	Static PE information: No import functions for PE file found

Source: d59d40bb-a548-4878-b5da-1c288ed7e94c.tmp.0.dr	Static PE information: Data appended to the last section found
Source: Unconfirmed 180121.crdownload.0.dr	Static PE information: Data appended to the last section found
Source: chromecache_103.2.dr	Static PE information: Data appended to the last section found

Source: classification engine

Classification label: clean4.win@21/4@6/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\d59d40bb-a548-4878-b5da-1c288ed7e94c.tmp

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1928,i,12913085829763271358,17456350680023490058,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1928,i,12913085829763271358,17456350680023490058,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: d59d40bb-a548-4878-b5da-1c288ed7e94c.tmp.0.dr	Static PE information: real checksum: 0x102ed491 should be: 0x7d3f
Source: Unconfirmed 180121.crdownload.0.dr	Static PE information: real checksum: 0x102ed491 should be: 0x55b4
Source: chromecache_103.2.dr	Static PE information: real checksum: 0x102ed491 should be: 0x55b4

Source: d59d40bb-a548-4878-b5da-1c288ed7e94c.tmp.0.dr	Static PE information: section name: .wixburn
Source: Unconfirmed 180121.crdownload.0.dr	Static PE information: section name: .wixburn
Source: chromecache_103.2.dr	Static PE information: section name: .wixburn

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 103	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\d59d40bb-a548-4878-b5da-1c288ed7e94c.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 180121.crdownload	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 103
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 103			Jump to dropped file

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
github.com	140.82.121.4	true	false	unknown
www.google.com	172.217.18.4	true	false	unknown
objects.githubusercontent.com	185.199.109.133	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
windowsupdatebg.s.llnwi.net	87.248.204.0	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.199.109.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false

Private

IP
192.168.2.11
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521594
Start date and time:	2024-09-29 00:54:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.win@21/4@6/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.35, 142.250.185.142, 66.102.1.84, 34.104.35.123, 4.175.87.197, 192.229.221.95, 13.95.31.18, 87.248.204.0, 40.69.42.241
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, clientservices.googleapis.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16054
Entropy (8bit):	6.337490289567847
Encrypted:	false
SSDEEP:	384:KUO5wDjQEYnb4U3OtOqZVGEaH1bi74F8nWBIbnC7G7LYUhi:R93QEYnbl3OK/qWBY709
MD5:	69221197FA11F82379DCB007592BDC44
SHA1:	DA118D7A31112F75A9BCCAE80B729FF7DF7AE4B8
SHA-256:	244389AC152F0BB1E95FD6B035F0401061A31613C0E8526A9B0FA0F9236622D4
SHA-512:	4123839BC98ACC92AF9AF4B32D9AFFED38D43636DA3F5A5AC688AE3EA40C4573859707D67E22D6285A83D2573ECD7894143B7D04EFAF5C2403527CF433B2838A
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e.....................J....................@..........................`............@..........................................................-.8(... ...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...............................@..@.reloc...>... ...@..................@..B........................................................................................................................................................................................................................................

C:\Users\user\Downloads\d59d40bb-a548-4878-b5da-1c288ed7e94c.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14676
Entropy (8bit):	6.321050268524622
Encrypted:	false
SSDEEP:	384:KUO5wDjQEYnb4U3OtOqZVGEaH1bi74F8nWBIbnC7T:R93QEYnbl3OK/qWBt
MD5:	B90EAED601271549CFBF0EEFF4DE28C3
SHA1:	133A4DEBB8967C17B723AE13FF7B6A87B70C44FA
SHA-256:	5A1FB9F5B1664DDE1AD437EC89B06AEB7D44A0A0F19D97CEB766478115B21486
SHA-512:	54B432DD16C67E349346E9BD8DA4FE89491295AF978AA15412008ADF6FFE1A5C56F5B65AFB4723892B524BE5C3C6405F6F9F763A731A7442B90F13EB189DBEFC
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e.....................J....................@..........................`............@..........................................................-.8(... ...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...............................@..@.reloc...>... ...@..................@..B........................................................................................................................................................................................................................................

Chrome Cache Entry: 103

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	16054
Entropy (8bit):	6.337490289567847
Encrypted:	false
SSDEEP:	384:KUO5wDjQEYnb4U3OtOqZVGEaH1bi74F8nWBIbnC7G7LYUhi:R93QEYnbl3OK/qWBY709
MD5:	69221197FA11F82379DCB007592BDC44
SHA1:	DA118D7A31112F75A9BCCAE80B729FF7DF7AE4B8
SHA-256:	244389AC152F0BB1E95FD6B035F0401061A31613C0E8526A9B0FA0F9236622D4
SHA-512:	4123839BC98ACC92AF9AF4B32D9AFFED38D43636DA3F5A5AC688AE3EA40C4573859707D67E22D6285A83D2573ECD7894143B7D04EFAF5C2403527CF433B2838A
Malicious:	false
Reputation:	low
URL:	https://objects.githubusercontent.com/github-production-release-asset-2e65be/184456251/3387acd8-f5b0-466a-b42c-efc4d40c0b47?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240928T225531Z&X-Amz-Expires=300&X-Amz-Signature=1f9c333d81f65fad8e4658cdb6a977d6ec1e14e59e45e3acd09d17e0da62b1b1&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPowerToysUserSetup-0.84.1-x64.exe&response-content-type=application%2Foctet-stream
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e.....................J....................@..........................`............@..........................................................-.8(... ...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...............................@..@.reloc...>... ...@..................@..B........................................................................................................................................................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:55:22.707499027 CEST	49673	443	192.168.2.6	173.222.162.64
Sep 29, 2024 00:55:22.707499027 CEST	49674	443	192.168.2.6	173.222.162.64
Sep 29, 2024 00:55:23.035651922 CEST	49672	443	192.168.2.6	173.222.162.64
Sep 29, 2024 00:55:28.514655113 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:28.514689922 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:28.514745951 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:28.516422987 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:28.516438007 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:29.310010910 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:29.310086012 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:29.323694944 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:29.323718071 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:29.324031115 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:29.387559891 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:29.387765884 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:29.387773991 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:29.388438940 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:29.431406975 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:29.563678026 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:29.563755035 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:29.563852072 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:29.565884113 CEST	49710	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:29.565902948 CEST	443	49710	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:30.748631001 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:30.748680115 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:30.748734951 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:30.749263048 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:30.749309063 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:30.749370098 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:30.749665976 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:30.749680042 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:30.750323057 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:30.750334978 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.370954990 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.375216961 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.375231981 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.375359058 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.376313925 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.376418114 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.376753092 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.376779079 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.377887964 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.377948046 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.379601002 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.379673004 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.380768061 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.380944014 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.381285906 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.427406073 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.552201986 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.552232027 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.583570004 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.583589077 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.660669088 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.684107065 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.768582106 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.768816948 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.768857956 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.768872976 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.768920898 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.769412994 CEST	49717	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:31.769439936 CEST	443	49717	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:31.842973948 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:31.843013048 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:31.843076944 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:31.843297958 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:31.843313932 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.301430941 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.303446054 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.303474903 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.304517984 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.304585934 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.308291912 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.308362961 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.308943987 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.308954000 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.314760923 CEST	49673	443	192.168.2.6	173.222.162.64
Sep 29, 2024 00:55:32.314867973 CEST	49674	443	192.168.2.6	173.222.162.64
Sep 29, 2024 00:55:32.362835884 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.448105097 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.448457956 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.448518991 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.448528051 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.448553085 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.448587894 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.448599100 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.448610067 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.448662043 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.448668957 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.449287891 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.449322939 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.449337959 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.449346066 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.449376106 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.449384928 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.449393034 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.449430943 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.461983919 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.506083012 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.509335995 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.509414911 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.509588957 CEST	443	49719	185.199.109.133	192.168.2.6
Sep 29, 2024 00:55:32.509655952 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.509673119 CEST	49719	443	192.168.2.6	185.199.109.133
Sep 29, 2024 00:55:32.646096945 CEST	49672	443	192.168.2.6	173.222.162.64
Sep 29, 2024 00:55:34.054249048 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:34.054305077 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:34.054361105 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:34.056158066 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:34.056178093 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:34.298667908 CEST	443	49706	173.222.162.64	192.168.2.6
Sep 29, 2024 00:55:34.298763037 CEST	49706	443	192.168.2.6	173.222.162.64
Sep 29, 2024 00:55:34.827680111 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:34.829215050 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:34.829215050 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:34.829272985 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:34.829288006 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:34.830271959 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:34.830313921 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:34.832195044 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:34.832195044 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:34.832211971 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:34.833698988 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:34.833774090 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:34.877415895 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:34.877429962 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:34.929390907 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:35.475608110 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.475698948 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.504817009 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.504838943 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.505146027 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.549182892 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.696041107 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.743401051 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.880496979 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.880570889 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.880630016 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.881402016 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.881428957 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.881463051 CEST	49722	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.881469965 CEST	443	49722	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.945430040 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.945483923 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:35.945564032 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.946213007 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:35.946228027 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:36.558190107 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:36.558288097 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:36.558332920 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:36.607835054 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:36.607922077 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:36.609677076 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:36.609694958 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:36.609954119 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:36.612554073 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:36.659411907 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:36.888097048 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:36.888185024 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:36.889098883 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:36.889177084 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:36.889202118 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:36.889230967 CEST	49723	443	192.168.2.6	184.28.90.27
Sep 29, 2024 00:55:36.889238119 CEST	443	49723	184.28.90.27	192.168.2.6
Sep 29, 2024 00:55:37.500273943 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:37.500332117 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:37.500382900 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:37.501566887 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:37.501579046 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:37.552599907 CEST	49716	443	192.168.2.6	140.82.121.4
Sep 29, 2024 00:55:37.552637100 CEST	443	49716	140.82.121.4	192.168.2.6
Sep 29, 2024 00:55:38.290118933 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:38.290199041 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:38.293148041 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:38.293167114 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:38.293529034 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:38.295747995 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:38.295747995 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:38.295777082 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:38.295902014 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:38.343398094 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:38.467945099 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:38.468027115 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:38.468739033 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:38.469310045 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:38.469310045 CEST	49724	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:38.469331026 CEST	443	49724	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:44.638890982 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:44.638962030 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:44.639025927 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:46.087577105 CEST	49721	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:55:46.087611914 CEST	443	49721	172.217.18.4	192.168.2.6
Sep 29, 2024 00:55:52.594362974 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:52.594409943 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:52.594522953 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:52.595868111 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:52.595884085 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.150675058 CEST	64567	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:53.155548096 CEST	53	64567	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:53.155637980 CEST	64567	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:53.155703068 CEST	64567	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:53.160507917 CEST	53	64567	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:53.410676956 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.410810947 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:53.422523975 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:53.422544956 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.422868013 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.427107096 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:53.427597046 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:53.427602053 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.428009987 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:53.471409082 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.600114107 CEST	53	64567	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:53.601355076 CEST	64567	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:53.603137016 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.603338003 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.603398085 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:53.603874922 CEST	49728	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:55:53.603897095 CEST	443	49728	40.115.3.253	192.168.2.6
Sep 29, 2024 00:55:53.609131098 CEST	53	64567	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:53.609215975 CEST	64567	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:56:09.052690983 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:09.052721977 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:09.052834988 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:09.056476116 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:09.056493044 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:09.849014044 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:09.849123955 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:09.859513998 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:09.859543085 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:09.859949112 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:09.870338917 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:09.870395899 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:09.870409012 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:09.870529890 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:09.911400080 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:10.118140936 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:10.118251085 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:10.118334055 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:10.118762970 CEST	64569	443	192.168.2.6	40.115.3.253
Sep 29, 2024 00:56:10.118781090 CEST	443	64569	40.115.3.253	192.168.2.6
Sep 29, 2024 00:56:33.467106104 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:33.467158079 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:33.467228889 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:33.468333006 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:33.468358040 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:33.992208958 CEST	64573	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:56:33.992254972 CEST	443	64573	172.217.18.4	192.168.2.6
Sep 29, 2024 00:56:33.992641926 CEST	64573	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:56:33.992641926 CEST	64573	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:56:33.992674112 CEST	443	64573	172.217.18.4	192.168.2.6
Sep 29, 2024 00:56:34.054815054 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.055394888 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:34.059855938 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:34.059880972 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.060134888 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.062491894 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:34.062491894 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:34.062517881 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.062774897 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:34.103404999 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.165930986 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.166023970 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.166966915 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:34.167004108 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.167032003 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:34.167040110 CEST	443	64572	20.7.1.246	192.168.2.6
Sep 29, 2024 00:56:34.167059898 CEST	64572	443	192.168.2.6	20.7.1.246
Sep 29, 2024 00:56:34.762851954 CEST	443	64573	172.217.18.4	192.168.2.6
Sep 29, 2024 00:56:34.763202906 CEST	64573	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:56:34.763226986 CEST	443	64573	172.217.18.4	192.168.2.6
Sep 29, 2024 00:56:34.763556957 CEST	443	64573	172.217.18.4	192.168.2.6
Sep 29, 2024 00:56:34.764242887 CEST	64573	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:56:34.764307022 CEST	443	64573	172.217.18.4	192.168.2.6
Sep 29, 2024 00:56:34.810672045 CEST	64573	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:56:44.582185030 CEST	443	64573	172.217.18.4	192.168.2.6
Sep 29, 2024 00:56:44.582261086 CEST	443	64573	172.217.18.4	192.168.2.6
Sep 29, 2024 00:56:44.582405090 CEST	64573	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:56:45.553438902 CEST	64573	443	192.168.2.6	172.217.18.4
Sep 29, 2024 00:56:45.553481102 CEST	443	64573	172.217.18.4	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:55:29.670397997 CEST	53	52773	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:29.677839041 CEST	53	52759	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:30.739619970 CEST	63653	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:30.739775896 CEST	60357	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:30.746416092 CEST	53	63653	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:30.746756077 CEST	53	60357	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:30.826034069 CEST	53	51645	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:31.835012913 CEST	53487	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:31.835380077 CEST	53693	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:31.841656923 CEST	53	53487	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:31.842485905 CEST	53	53693	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:33.945873976 CEST	60454	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:33.946249962 CEST	57602	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:55:33.952398062 CEST	53	60454	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:33.952780962 CEST	53	57602	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:48.459090948 CEST	53	51113	1.1.1.1	192.168.2.6
Sep 29, 2024 00:55:53.150118113 CEST	53	59667	1.1.1.1	192.168.2.6
Sep 29, 2024 00:56:28.912039042 CEST	53	51692	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2024 00:55:30.739619970 CEST	192.168.2.6	1.1.1.1	0xf286	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:30.739775896 CEST	192.168.2.6	1.1.1.1	0xe225	Standard query (0)	github.com	65	IN (0x0001)	false
Sep 29, 2024 00:55:31.835012913 CEST	192.168.2.6	1.1.1.1	0x9c9	Standard query (0)	objects.githubusercontent.com	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:31.835380077 CEST	192.168.2.6	1.1.1.1	0xf8a4	Standard query (0)	objects.githubusercontent.com	65	IN (0x0001)	false
Sep 29, 2024 00:55:33.945873976 CEST	192.168.2.6	1.1.1.1	0x4bca	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:33.946249962 CEST	192.168.2.6	1.1.1.1	0x7d38	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 29, 2024 00:55:30.746416092 CEST	1.1.1.1	192.168.2.6	0xf286	No error (0)	github.com		140.82.121.4	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:31.841656923 CEST	1.1.1.1	192.168.2.6	0x9c9	No error (0)	objects.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:31.841656923 CEST	1.1.1.1	192.168.2.6	0x9c9	No error (0)	objects.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:31.841656923 CEST	1.1.1.1	192.168.2.6	0x9c9	No error (0)	objects.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:31.841656923 CEST	1.1.1.1	192.168.2.6	0x9c9	No error (0)	objects.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:33.952398062 CEST	1.1.1.1	192.168.2.6	0x4bca	No error (0)	www.google.com		172.217.18.4	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:33.952780962 CEST	1.1.1.1	192.168.2.6	0x7d38	No error (0)	www.google.com			65	IN (0x0001)	false
Sep 29, 2024 00:55:44.306163073 CEST	1.1.1.1	192.168.2.6	0x95f9	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 29, 2024 00:55:44.306163073 CEST	1.1.1.1	192.168.2.6	0x95f9	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:55:45.651405096 CEST	1.1.1.1	192.168.2.6	0x90c2	No error (0)	windowsupdatebg.s.llnwi.net		87.248.204.0	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

objects.githubusercontent.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49710	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:55:29 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4f 6b 4e 65 41 71 6a 69 65 30 32 6d 38 56 71 6a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 31 38 62 61 38 31 32 33 39 32 33 66 63 66 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: OkNeAqjie02m8Vqj.1Context: 418ba8123923fcfc
2024-09-28 22:55:29 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-28 22:55:29 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4f 6b 4e 65 41 71 6a 69 65 30 32 6d 38 56 71 6a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 31 38 62 61 38 31 32 33 39 32 33 66 63 66 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: OkNeAqjie02m8Vqj.2Context: 418ba8123923fcfc<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
2024-09-28 22:55:29 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4f 6b 4e 65 41 71 6a 69 65 30 32 6d 38 56 71 6a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 31 38 62 61 38 31 32 33 39 32 33 66 63 66 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: OkNeAqjie02m8Vqj.3Context: 418ba8123923fcfc<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-28 22:55:29 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-28 22:55:29 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6c 71 56 4f 31 56 47 64 67 6b 69 6c 2b 54 44 68 75 4b 67 30 4d 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: lqVO1VGdgkil+TDhuKg0Mw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	140.82.121.4	443	6220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:55:31 UTC	732	OUT	GET /microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe HTTP/1.1 Host: github.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-28 22:55:31 UTC	980	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Sat, 28 Sep 2024 22:55:31 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/184456251/3387acd8-f5b0-466a-b42c-efc4d40c0b47?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240928T225531Z&X-Amz-Expires=300&X-Amz-Signature=1f9c333d81f65fad8e4658cdb6a977d6ec1e14e59e45e3acd09d17e0da62b1b1&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPowerToysUserSetup-0.84.1-x64.exe&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-09-28 22:55:31 UTC	3382	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49719	185.199.109.133	443	6220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:55:32 UTC	1164	OUT	GET /github-production-release-asset-2e65be/184456251/3387acd8-f5b0-466a-b42c-efc4d40c0b47?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240928T225531Z&X-Amz-Expires=300&X-Amz-Signature=1f9c333d81f65fad8e4658cdb6a977d6ec1e14e59e45e3acd09d17e0da62b1b1&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPowerToysUserSetup-0.84.1-x64.exe&response-content-type=application%2Foctet-stream HTTP/1.1 Host: objects.githubusercontent.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-28 22:55:32 UTC	820	IN	HTTP/1.1 200 OK Connection: close Content-Length: 271460032 Content-Type: application/octet-stream Last-Modified: Mon, 09 Sep 2024 08:37:23 GMT ETag: "0x8DCD0AAA05FF1C9" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: d261d77c-101e-0009-5794-02a486000000 x-ms-version: 2020-10-02 x-ms-creation-time: Mon, 09 Sep 2024 08:37:23 GMT x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=PowerToysUserSetup-0.84.1-x64.exe x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Date: Sat, 28 Sep 2024 22:55:32 GMT Age: 3087 X-Served-By: cache-iad-kcgs7200156-IAD, cache-ewr-kewr1740061-EWR X-Cache: HIT, HIT X-Cache-Hits: 47, 1 X-Timer: S1727564132.364185,VS0,VE1
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bf 5d 61 4e fb 3c 0f 1d fb 3c 0f 1d fb 3c 0f 1d 1f 4c 0c 1c f1 3c 0f 1d 1f 4c 0a 1c 6a 3c 0f 1d a9 54 0b 1c e8 3c 0f 1d a9 54 0c 1c e8 3c 0f 1d a9 54 0a 1c d7 3c 0f 1d 1f 4c 0b 1c ec 3c 0f 1d 1f 4c 09 1c f9 3c 0f 1d 1f 4c 0e 1c ea 3c 0f 1d fb 3c 0e 1d b5 3d 0f 1d 50 55 0a 1c b0 3c 0f 1d 50 55 f0 1d fa 3c 0f 1d fb 3c 98 1d f9 3c 0f 1d 50 55 0d 1c fa 3c 0f 1d 52 69 63 68 fb 3c 0f Data Ascii: MZ@!L!This program cannot be run in DOS mode.$]aN<<<L<Lj<T<T<T<L<L<L<<=PU<PU<<<PU<Rich<
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: 00 80 ff 75 d4 ff 15 ec e0 44 00 8b f8 56 e8 74 5c 00 00 85 c0 74 07 e8 05 04 00 00 eb 0b 6a 09 8d 45 d8 50 e8 73 03 00 00 ff 75 d4 e8 dd fe ff ff 8d 45 d0 50 ff 75 14 56 57 53 e8 b9 5c 00 00 8b f0 83 ff ff 74 07 57 ff 15 f0 e0 44 00 83 7d d4 00 74 08 ff 75 d4 e8 78 1f 00 00 85 f6 78 03 8b 75 d0 8b 4d fc 8b c6 5f 5e 33 cd 5b e8 bf ee 02 00 c9 c2 10 00 55 8b ec 51 56 8b 75 0c 8d 45 fc 57 8b 7d 08 68 ff ff ff 7f 50 56 57 e8 5c 01 00 00 85 c0 78 27 81 7d 14 fe ff ff 7f 76 07 b8 57 00 07 80 eb 17 ff 75 14 8b 45 fc 2b f0 ff 75 10 6a 00 56 8d 04 47 50 e8 85 00 00 00 5f 5e c9 c2 10 00 55 8b ec 51 56 8b 75 0c 8d 45 fc 57 8b 7d 08 68 ff ff ff 7f 50 56 57 e8 0f 01 00 00 85 c0 78 19 8b 45 fc 2b f0 68 fe ff ff 7f ff 75 10 6a 00 56 8d 04 47 50 e8 46 00 00 00 5f 5e c9 Data Ascii: uDVt\tjEPsuEPuVWS\tWD}tuxxuM_^3[UQVuEW}hPVW\x'}vWuE+ujVGP_^UQVuEW}hPVWxE+hujVGPF_^
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: 28 56 ff 15 4c e1 44 00 85 c0 74 1a 8d 45 fc 47 50 56 e8 78 38 00 00 85 c0 78 0b 8b 45 fc 8b f0 85 c0 75 d8 eb 03 8b 45 fc 85 c0 74 06 50 e8 3f 1a 00 00 8b c7 5f 5e 5b c9 c2 08 00 55 8b ec 81 ec 74 06 00 00 a1 08 e0 46 00 33 c5 89 45 fc 8b 45 0c 83 8d 94 f9 ff ff ff 83 e0 01 53 8b 5d 08 56 57 bf 08 02 00 00 89 85 8c f9 ff ff 33 f6 89 9d 90 f9 ff ff 21 b5 98 f9 ff ff 8d 85 ec fb ff ff 57 56 50 e8 73 f7 02 00 57 8d 85 f4 fd ff ff 56 50 e8 65 f7 02 00 83 c4 18 53 ff 15 44 e1 44 00 8b 3d 04 e1 44 00 8b d8 83 fb ff 75 32 ff d7 8b f0 83 fe 02 75 03 6a 03 5e 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 79 15 56 68 c8 00 00 00 68 f8 e5 44 00 e8 14 fc ff ff e9 5c 03 00 00 f6 c3 10 0f 84 3c 03 00 00 f6 c3 01 74 37 68 80 00 00 00 ff b5 90 f9 ff ff ff 15 50 e1 44 00 Data Ascii: (VLDtEGPVx8xEuEtP?_^[UtF3EES]VW3!WVPsWVPeSDD=Du2uj^~yVhhD\<t7hPD
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: 5e 5d c2 08 00 55 8b ec 51 53 56 33 db 57 8b 7d 08 8b c3 89 45 fc 8b f3 85 ff 74 22 39 07 74 1e 8d 45 fc 50 ff 37 e8 ca 15 00 00 8b f0 85 f6 0f 88 8a 00 00 00 8b 45 fc 85 c0 74 02 8b 1f 53 50 ff 15 2c e1 44 00 8b d8 85 db 75 26 ff 15 04 e1 44 00 8b f0 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 78 05 be 05 40 00 80 56 68 87 01 00 00 eb 43 39 5d fc 73 48 53 57 e8 10 0d 00 00 8b f0 85 f6 78 3b ff 37 53 ff 15 2c e1 44 00 85 c0 75 2e ff 15 04 e1 44 00 8b f0 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 78 05 be 05 40 00 80 56 68 90 01 00 00 68 f8 e5 44 00 e8 ce f6 ff ff 5f 8b c6 5e 5b c9 c2 04 00 55 8b ec 51 53 56 57 8b 7d 08 33 db 33 f6 89 5d fc 39 1f 74 31 ff 37 e8 5f 36 00 00 8b f0 83 fe ff 75 0a b8 57 00 07 80 e9 84 00 00 00 8d 45 fc d1 ee 50 68 ff ff ff Data Ascii: ^]UQSV3W}Et"9tEP7EtSP,Du&D~x@VhC9]sHSWx;7S,Du.D~x@VhhD_^[UQSVW}33]9t17_6uWEPh
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: ff 50 0f b6 c1 50 8d 42 01 50 e8 29 ed 02 00 83 c4 0c eb 35 8b 45 08 8b 55 f8 8b 4d 20 f7 c1 00 1c 00 00 74 18 85 ff 74 14 51 8d 4d f4 51 8d 4d fc 51 52 57 50 e8 fe 05 00 00 8b 5d f4 85 f6 79 08 81 fe 7a 00 07 80 75 15 8b 55 fc 8b 45 18 85 c0 74 02 89 10 8b 45 1c 85 c0 74 02 89 18 5b 5f 8b c6 5e c9 c2 1c 00 55 8b ec 83 ec 10 8b 45 20 56 25 00 01 00 00 57 8b 7d 0c 89 45 f0 74 3c 8b 4d 08 33 c0 8b f0 85 c9 75 04 85 ff 75 08 81 ff ff ff ff 7f 76 05 be 57 00 07 80 85 f6 78 18 85 ff 74 14 8d 45 f8 50 57 51 e8 0b 07 00 00 8b 55 f8 8b f0 33 c0 eb 29 8b d0 eb 28 33 c0 8b f0 85 ff 74 08 81 ff ff ff ff 7f 76 05 be 57 00 07 80 85 f6 78 0a 8d 45 f8 50 57 ff 75 08 eb cb 8b d0 8b 4d 08 89 55 f8 85 f6 0f 88 1d 01 00 00 53 8d 1c 51 89 5d fc 8b df 2b da 81 7d 14 ff ff ff Data Ascii: PPBP)5EUM ttQMQMQRWP]yzuUEtEt[_^UE V%W}Et<M3uuvWxtEPWQU3)(3tvWxEPWuMUSQ]+}
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: 02 00 00 eb 05 b8 57 00 07 80 85 c0 79 07 85 f6 74 03 83 26 00 5e 5d c2 0c 00 55 8b ec 8b 45 0c 56 33 f6 85 c0 74 07 3d ff ff ff 7f 76 05 be 57 00 07 80 85 f6 78 36 53 8b 5d 08 33 f6 57 ff 75 14 8d 78 ff 56 ff 75 10 57 53 e8 31 0e 00 00 83 c4 14 85 c0 78 08 3b c7 77 04 75 0d eb 05 be 7a 00 07 80 33 c0 66 89 04 7b 5f 5b eb 0c 85 c0 74 08 8b 4d 08 33 c0 66 89 01 8b c6 5e 5d c2 10 00 55 8b ec 8b 45 0c 33 d2 8b 4d 08 85 c0 74 27 53 56 8b 75 14 57 8b 7d 18 2b f1 85 ff 74 11 8a 1c 0e 84 db 74 0a 88 19 41 4f 42 83 e8 01 75 eb 5f 5e 5b 85 c0 75 02 49 4a f7 d8 c6 01 00 8b 4d 10 1b c0 25 86 ff f8 7f 05 7a 00 07 80 85 c9 74 02 89 11 5d c2 14 00 55 8b ec 8b 45 1c 53 8b 5d 08 57 8b 7d 0c 85 ff 74 21 a9 00 10 00 00 74 1a 8b 4d 10 8b 45 14 8d 14 0b 89 10 8b c7 2b c1 8b Data Ascii: Wyt&^]UEV3t=vWx6S]3WuxVuWS1x;wuz3f{_[tM3f^]UE3Mt'SVuW}+ttAOBu_^[uIJM%zt]UES]W}t!tME+
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: c4 18 eb 05 bf ff ff 00 80 8b c7 5f 5e 5b c9 c2 0c 00 55 8b ec 6a 01 ff 75 0c ff 75 08 e8 12 f2 ff ff 5d c2 08 00 55 8b ec 6a 00 ff 75 10 ff 75 0c ff 75 08 e8 74 f2 ff ff 5d c2 0c 00 55 8b ec 8b 4d 08 83 ca ff 8b 45 10 53 56 33 f6 8b d8 57 8b fe 39 31 74 1e ff 31 e8 c0 26 00 00 8b f8 83 ca ff 3b fa 75 0a be 57 00 07 80 e9 02 01 00 00 d1 ef 8b c3 8b 4d 0c 85 c0 75 4a 56 56 52 51 56 ff 75 14 ff 15 64 e1 44 00 8b d8 85 db 75 33 ff 15 04 e1 44 00 8b f0 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 78 05 be 05 40 00 80 56 68 0c 02 00 00 68 40 e6 44 00 e8 aa e6 ff ff e9 b0 00 00 00 4b eb 09 80 3c 01 00 75 03 8d 58 ff 8d 43 01 3b f8 73 47 8b f8 81 ff ff ff ff 7f 72 0a be 0e 00 07 80 e9 89 00 00 00 8b 45 08 8d 0c 3f 6a 01 51 39 30 74 09 ff 30 e8 3d 25 00 00 eb 05 Data Ascii: _^[Ujuu]Ujuuut]UMESV3W91t1&;uWMuJVVRQVudDu3D~x@Vhh@DK<uXC;sGrE?jQ90t0=%
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: ec 56 8b 75 0c 57 33 ff 8d 04 75 01 00 00 00 39 45 14 73 07 bf 7a 00 07 80 eb 4a 8b 55 10 85 f6 74 3e 53 8b 5d 08 8a 03 c0 e8 04 3c 0a 0f b6 c0 1b c9 83 e1 f9 83 c1 37 66 03 c8 66 89 0a 8a 03 24 0f 3c 0a 0f b6 c0 1b c9 83 e1 f9 83 c1 37 66 03 c8 66 89 4a 02 83 c2 04 43 83 ee 01 75 c7 5b 33 c0 66 89 02 8b c7 5f 5e 5d c2 10 00 55 8b ec 56 33 f6 39 75 08 74 1f ff 75 08 e8 3b 21 00 00 8b 4d 0c 89 01 83 f8 ff 75 07 be 05 40 00 80 eb 0b d1 e8 89 01 eb 05 8b 4d 0c 89 31 8b c6 5e 5d c2 08 00 55 8b ec 57 ff 75 08 e8 17 00 00 00 83 7d 08 00 8b f8 74 08 ff 75 08 e8 41 1f 00 00 8b c7 5f 5d c2 04 00 55 8b ec 53 56 8b 75 08 33 db 85 f6 74 1e 56 e8 e1 20 00 00 83 f8 ff 75 07 bb 57 00 07 80 eb 0c 85 c0 74 08 88 1e 46 83 e8 01 75 f8 5e 8b c3 5b 5d c2 04 00 55 8b ec 56 ff Data Ascii: VuW3u9EszJUt>S]<7ff$<7ffJCu[3f_^]UV39utu;!Mu@M1^]UWu}tuA_]USVu3tV uWtFu^[]UV
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: 94 c0 50 57 ff 75 08 ff 15 94 e1 44 00 85 c0 0f 85 bf 00 00 00 ff 15 04 e1 44 00 85 db 75 14 83 f8 50 74 07 3d b7 00 00 00 75 08 33 f6 46 e9 a1 00 00 00 83 f8 03 0f 85 87 00 00 00 0f b7 07 8b de 8b cf 66 85 c0 74 74 6a 5c 8b d0 5f 66 3b d7 75 02 8b d9 83 c1 02 0f b7 01 8b d0 66 85 c0 75 ec 8b 7d 0c 85 db 74 54 56 33 c0 57 66 89 03 e8 a3 e3 ff ff 8b f0 6a 5c 58 66 89 03 85 f6 78 54 ff 75 10 57 ff 75 08 ff 15 94 e1 44 00 85 c0 75 43 ff 15 04 e1 44 00 8b f0 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 79 2a 56 68 54 04 00 00 68 dc e8 44 00 e8 e9 db ff ff eb 18 be 03 00 07 80 eb 11 85 c0 7f 04 8b f0 eb 09 0f b7 f0 81 ce 00 00 07 80 5f 8b c6 5e 5b 5d c2 0c 00 55 8b ec 56 b8 05 40 00 80 33 f6 3b 75 14 77 3c 85 f6 74 09 ff 75 18 ff 15 88 e1 44 00 ff 75 10 ff 75 Data Ascii: PWuDDuPt=u3Ffttj\_f;ufu}tTV3Wfj\XfxTuWuDuCD~y*VhThD_^[]UV@3;uw<tuDuu
2024-09-28 22:55:32 UTC	1378	IN	Data Raw: 8b f0 7e 02 8b f1 85 f6 78 05 be 05 40 00 80 56 68 54 03 00 00 68 dc e8 44 00 e8 22 d7 ff ff e9 d9 01 00 00 8b 75 fc 8d 45 f4 50 56 ff 15 74 e1 44 00 85 c0 75 2f ff d3 8b f0 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 78 05 be 05 40 00 80 56 68 59 03 00 00 68 dc e8 44 00 e8 e1 d6 ff ff e9 89 01 00 00 39 7d 14 74 48 8b 7d 18 33 c0 3b 45 f8 7c 11 7f 05 3b 7d f4 76 0a be 57 00 07 80 e9 69 01 00 00 6a 01 50 57 56 ff 15 fc e0 44 00 83 f8 ff 75 1d ff d3 8b f0 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 79 08 56 68 67 03 00 00 eb a4 83 7d 20 00 74 26 8b 5d 1c 33 ff 8b 75 08 83 3e 00 74 67 85 db 75 41 ff 36 e8 6c 14 00 00 89 3e 8b 45 0c 8b f7 89 38 e9 10 01 00 00 8b 4d f4 8b d9 8b 45 f8 2b df 2b cf 6a 00 5f 1b c7 3b f8 7f ca 7c 05 39 4d 1c 73 c3 be 7a 00 07 80 Data Ascii: ~x@VhThD"uEPVtDu/~x@VhYhD9}tH}3;E\|;}vWijPWVDu~yVhg} t&]3u>tguA6l>E8ME++j_;\|9Msz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49722	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:55:35 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-28 22:55:35 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF67) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=150567 Date: Sat, 28 Sep 2024 22:55:35 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49723	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:55:36 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-28 22:55:36 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=150596 Date: Sat, 28 Sep 2024 22:55:36 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-28 22:55:36 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	49724	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:55:38 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 64 72 4e 44 59 64 35 31 66 6b 6d 76 72 46 4f 2b 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 64 64 62 35 61 32 37 65 34 66 61 39 35 62 30 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: drNDYd51fkmvrFO+.1Context: eddb5a27e4fa95b0
2024-09-28 22:55:38 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-28 22:55:38 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 64 72 4e 44 59 64 35 31 66 6b 6d 76 72 46 4f 2b 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 64 64 62 35 61 32 37 65 34 66 61 39 35 62 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: drNDYd51fkmvrFO+.2Context: eddb5a27e4fa95b0<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
2024-09-28 22:55:38 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 64 72 4e 44 59 64 35 31 66 6b 6d 76 72 46 4f 2b 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 64 64 62 35 61 32 37 65 34 66 61 39 35 62 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: drNDYd51fkmvrFO+.3Context: eddb5a27e4fa95b0<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-28 22:55:38 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-28 22:55:38 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 38 48 4a 49 7a 55 44 78 70 6b 4f 77 65 39 64 79 77 68 58 74 43 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 8HJIzUDxpkOwe9dywhXtCg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.6	49728	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:55:53 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6c 65 4a 58 43 36 49 6a 39 55 61 71 78 4a 59 76 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 66 65 66 61 36 62 36 65 33 36 33 61 66 32 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: leJXC6Ij9UaqxJYv.1Context: ffefa6b6e363af22
2024-09-28 22:55:53 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-28 22:55:53 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6c 65 4a 58 43 36 49 6a 39 55 61 71 78 4a 59 76 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 66 65 66 61 36 62 36 65 33 36 33 61 66 32 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: leJXC6Ij9UaqxJYv.2Context: ffefa6b6e363af22<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
2024-09-28 22:55:53 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6c 65 4a 58 43 36 49 6a 39 55 61 71 78 4a 59 76 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 66 65 66 61 36 62 36 65 33 36 33 61 66 32 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: leJXC6Ij9UaqxJYv.3Context: ffefa6b6e363af22<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-28 22:55:53 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-28 22:55:53 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 41 47 57 73 34 6b 73 73 37 45 47 36 46 39 35 79 43 57 75 52 55 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: AGWs4kss7EG6F95yCWuRUw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.6	64569	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:56:09 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 33 71 54 5a 55 51 6b 44 48 55 6d 58 62 37 56 61 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 65 34 63 63 64 30 38 39 38 38 36 34 66 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 3qTZUQkDHUmXb7Va.1Context: b1e4ccd0898864fe
2024-09-28 22:56:09 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-28 22:56:09 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 33 71 54 5a 55 51 6b 44 48 55 6d 58 62 37 56 61 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 65 34 63 63 64 30 38 39 38 38 36 34 66 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 3qTZUQkDHUmXb7Va.2Context: b1e4ccd0898864fe<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
2024-09-28 22:56:09 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 33 71 54 5a 55 51 6b 44 48 55 6d 58 62 37 56 61 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 65 34 63 63 64 30 38 39 38 38 36 34 66 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 3qTZUQkDHUmXb7Va.3Context: b1e4ccd0898864fe<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-28 22:56:10 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-28 22:56:10 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 30 62 62 6f 39 65 4a 79 52 55 6d 35 67 5a 62 44 58 6e 37 75 65 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 0bbo9eJyRUm5gZbDXn7ueA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.6	64572	20.7.1.246	443

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:56:34 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 65 6d 66 4f 44 62 6d 79 67 6b 2b 78 61 66 5a 54 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 32 32 62 31 32 63 32 65 62 65 34 30 65 66 30 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: emfODbmygk+xafZT.1Context: 722b12c2ebe40ef0
2024-09-28 22:56:34 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-28 22:56:34 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 65 6d 66 4f 44 62 6d 79 67 6b 2b 78 61 66 5a 54 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 32 32 62 31 32 63 32 65 62 65 34 30 65 66 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: emfODbmygk+xafZT.2Context: 722b12c2ebe40ef0<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
2024-09-28 22:56:34 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 65 6d 66 4f 44 62 6d 79 67 6b 2b 78 61 66 5a 54 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 32 32 62 31 32 63 32 65 62 65 34 30 65 66 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: emfODbmygk+xafZT.3Context: 722b12c2ebe40ef0<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-28 22:56:34 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-28 22:56:34 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 50 35 43 50 53 62 32 52 64 45 65 62 2f 33 66 79 45 42 38 31 68 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: P5CPSb2RdEeb/3fyEB81hQ.0Payload parsing failed.

Target ID:	0
Start time:	18:55:24
Start date:	28/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	18:55:28
Start date:	28/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1928,i,12913085829763271358,17456350680023490058,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	18:55:30
Start date:	28/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Downloads\Unconfirmed 180121.crdownload

C:\Users\user\Downloads\d59d40bb-a548-4878-b5da-1c288ed7e94c.tmp

Chrome Cache Entry: 103

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5208, Parent PID: 6032

General

Chronological Activities

Analysis Process: chrome.exePID: 6220, Parent PID: 5208

General

Chronological Activities

Analysis Process: chrome.exePID: 4832, Parent PID: 6032

General

Chronological Activities

Disassembly

Windows Analysis Report
https://github.com/microsoft/PowerToys/releases/download/v0.84.1/PowerToysUserSetup-0.84.1-x64.exe