Edit tour

Windows Analysis Report
http://https:/atpscan.global.hornetsecurity.com?d=r7jv6mGLSFUWnAoVoWKJDiF7kKGt3Fw5kKbn5s5sfcpNyTRbK79Zci2IH8Nl2g5X&f=qvzVe-8YAX4Dy6XefosXpr9xe6cUPxuD05v5wTHFNiMjrMs6M0fDbIikzhduev0q&i=&k=3x5s&m=iAkhIt0HvpR1Oh2_h6Q0O4Hzfyk0g3SV3EvnL7Z4VUDMO-lWq1KA94UsI2rIZoVyTUZY62kGnDiHyWJGH-7ewwHTHsNEmZuBPXaeTQvRVK

Overview

General Information

Sample URL:	http://https:/atpscan.global.hornetsecurity.com?d=r7jv6mGLSFUWnAoVoWKJDiF7kKGt3Fw5kKbn5s5sfcpNyTRbK79Zci2IH8Nl2g5X&f=qvzVe-8YAX4Dy6XefosXpr9xe6cUPxuD05v5wTHFNiMjrMs6M0fDbIikzhduev0q&i=&k=3x5s&m=iAkhIt
Analysis ID:	1522635
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected non-DNS traffic on DNS port

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 7032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6352 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1948,i,12221023580529806588,14764156999437065076,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2392 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://https:/atpscan.global.hornetsecurity.com?d=r7jv6mGLSFUWnAoVoWKJDiF7kKGt3Fw5kKbn5s5sfcpNyTRbK79Zci2IH8Nl2g5X&f=qvzVe-8YAX4Dy6XefosXpr9xe6cUPxuD05v5wTHFNiMjrMs6M0fDbIikzhduev0q&i=&k=3x5s&m=iAkhIt0HvpR1Oh2_h6Q0O4Hzfyk0g3SV3EvnL7Z4VUDMO-lWq1KA94UsI2rIZoVyTUZY62kGnDiHyWJGH-7ewwHTHsNEmZuBPXaeTQvRVKfNDkV8Z7LfIWxRCCZdooZC&n=ZEhYBDFv208HJKEkNw5PqFObkm08aq7YeFB_fsGRbHtm2gx4mSx3JSwYkGZ1WU18bxwJPkfxXGKYv_KHdz1U8g&r=jfqeskceaKp8lH_i6JGe3T3xyBa6G7cbOCXOc4EPK3XMqLBHJqWBZEP0B9-qih8i&s=7226c2d05f1feec1a62ae2af2728e02cdefac54ea37a3a7665785b4a5864d360&u=https*3A*2F*2Fpitstop.powellind.com*2Fxfer*2Fbhub.cgi*3Fact*3Ddirect_download_file*26package_id*3Dpowelldocmanager*2540powellind*252Ecom*255FO8FN5TMSR40O4R6VOBEQREUV86*26file_name*3Dpowelldocmanager*2540powellind*252Ecom*255FO8FN5TMSR40O4R6VOBEQREUV86*252Ezip*26username*3Ddlarue*2540schmidt*252Delectric*252Ecom*26direct_token*3DB175D31C2AE80D9A572ED101DA29F438*26file_type*3Dzip__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PsRMz_liT-2f!lyFBpyvRN69uTi9lGXPBKy-XSt-kz0C0JEORrqM8dMdi_IxvE9r1JFw4LyvspGoo--E3uM-bmu0c26FxoQqF$%3E" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:58482 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.16:58481 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9n35bKXho4cAs5m&MD=CaChf6yH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9n35bKXho4cAs5m&MD=CaChf6yH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 58486 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58484 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58482 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58486
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58482
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58484
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:58482 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@22/6@6/3

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1948,i,12221023580529806588,14764156999437065076,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://https:/atpscan.global.hornetsecurity.com?d=r7jv6mGLSFUWnAoVoWKJDiF7kKGt3Fw5kKbn5s5sfcpNyTRbK79Zci2IH8Nl2g5X&f=qvzVe-8YAX4Dy6XefosXpr9xe6cUPxuD05v5wTHFNiMjrMs6M0fDbIikzhduev0q&i=&k=3x5s&m=iAkhIt0HvpR1Oh2_h6Q0O4Hzfyk0g3SV3EvnL7Z4VUDMO-lWq1KA94UsI2rIZoVyTUZY62kGnDiHyWJGH-7ewwHTHsNEmZuBPXaeTQvRVKfNDkV8Z7LfIWxRCCZdooZC&n=ZEhYBDFv208HJKEkNw5PqFObkm08aq7YeFB_fsGRbHtm2gx4mSx3JSwYkGZ1WU18bxwJPkfxXGKYv_KHdz1U8g&r=jfqeskceaKp8lH_i6JGe3T3xyBa6G7cbOCXOc4EPK3XMqLBHJqWBZEP0B9-qih8i&s=7226c2d05f1feec1a62ae2af2728e02cdefac54ea37a3a7665785b4a5864d360&u=https3A2F2Fpitstop.powellind.com2Fxfer2Fbhub.cgi3Fact3Ddirect_download_file26package_id3Dpowelldocmanager2540powellind252Ecom255FO8FN5TMSR40O4R6VOBEQREUV8626file_name3Dpowelldocmanager2540powellind252Ecom255FO8FN5TMSR40O4R6VOBEQREUV86252Ezip26username3Ddlarue2540schmidt252Delectric252Ecom26direct_token3DB175D31C2AE80D9A572ED101DA29F43826file_type*3Dzip__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PsRMz_liT-2f!lyFBpyvRN69uTi9lGXPBKy-XSt-kz0C0JEORrqM8dMdi_IxvE9r1JFw4LyvspGoo--E3uM-bmu0c26FxoQqF$%3E"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1948,i,12221023580529806588,14764156999437065076,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
google.com	0%	Virustotal		Browse
www.google.com	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.com	142.250.184.206	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.184.196	true	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522635
Start date and time:	2024-09-30 13:57:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://https:/atpscan.global.hornetsecurity.com?d=r7jv6mGLSFUWnAoVoWKJDiF7kKGt3Fw5kKbn5s5sfcpNyTRbK79Zci2IH8Nl2g5X&f=qvzVe-8YAX4Dy6XefosXpr9xe6cUPxuD05v5wTHFNiMjrMs6M0fDbIikzhduev0q&i=&k=3x5s&m=iAkhIt0HvpR1Oh2_h6Q0O4Hzfyk0g3SV3EvnL7Z4VUDMO-lWq1KA94UsI2rIZoVyTUZY62kGnDiHyWJGH-7ewwHTHsNEmZuBPXaeTQvRVKfNDkV8Z7LfIWxRCCZdooZC&n=ZEhYBDFv208HJKEkNw5PqFObkm08aq7YeFB_fsGRbHtm2gx4mSx3JSwYkGZ1WU18bxwJPkfxXGKYv_KHdz1U8g&r=jfqeskceaKp8lH_i6JGe3T3xyBa6G7cbOCXOc4EPK3XMqLBHJqWBZEP0B9-qih8i&s=7226c2d05f1feec1a62ae2af2728e02cdefac54ea37a3a7665785b4a5864d360&u=https3A2F2Fpitstop.powellind.com2Fxfer2Fbhub.cgi3Fact3Ddirect_download_file26package_id3Dpowelldocmanager2540powellind252Ecom255FO8FN5TMSR40O4R6VOBEQREUV8626file_name3Dpowelldocmanager2540powellind252Ecom255FO8FN5TMSR40O4R6VOBEQREUV86252Ezip26username3Ddlarue2540schmidt252Delectric252Ecom26direct_token3DB175D31C2AE80D9A572ED101DA29F43826file_type*3Dzip__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PsRMz_liT-2f!lyFBpyvRN69uTi9lGXPBKy-XSt-kz0C0JEORrqM8dMdi_IxvE9r1JFw4LyvspGoo--E3uM-bmu0c26FxoQqF$%3E
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@22/6@6/3

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.18.3, 142.250.185.174, 64.233.184.84, 34.104.35.123, 142.250.186.67
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, clientservices.googleapis.com, clients.l.google.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 10:58:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.978847021317276
Encrypted:	false
SSDEEP:	48:8pdaTm2dHIWidAKZdA1FehwiZUklqehLy+3:8urmEky
MD5:	17C327D7C28CE4A9013843B09B590C8D
SHA1:	800F3549D75BB69E77D7634C9EA475E964579B45
SHA-256:	18FB2A6065554E971EA12B94C31D0A2FFDF5F4FA46ECF3FF2D8757F19CB220DB
SHA-512:	AE3A523EE0907FF6B741C919205A87B3671DE5FF0EEA86D4E11A12DFC4D6AB7D7EB7B6A0DD0AAD81795EA5DC7604294EC1E40980265ABEB05872EF9EA5E3B670
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....G...0...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I>YC_....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YO_....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YO_....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YO_..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YP_...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............[W.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 10:58:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.994638659531262
Encrypted:	false
SSDEEP:	48:8AdaTm2dHIWidAKZdA1seh/iZUkAQkqehUy+2:8Jrm69QBy
MD5:	239F05269B2607E20042902A0884EC8A
SHA1:	C55C080549CDB20742DADC3B8B40903A8CE10BFA
SHA-256:	F4ACF7EAF0B7A633B91A5DB6346DE98455C3DD0461700F1222F1F7841ADFBE4A
SHA-512:	3AFFD6700FAA770A015F50E843B35EFEA20033BA4D61E09214C7D573FCFF0D452F50AEACECB6C4706F2FEE236B8B1982582A53CC8CC35A565CCB2B1D9AA99BEA
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....7...0...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I>YC_....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YO_....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YO_....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YO_..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YP_...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............[W.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.005353068716462
Encrypted:	false
SSDEEP:	48:8bdaTm2AHIWidAKZdA14meh7sFiZUkmgqeh7sSy+BX:8krFunoy
MD5:	AEBDE6550A7C9D3FEC615A7D42E1AC12
SHA1:	A786B4FA9C58E3855885F67BAD759B37CB8A3518
SHA-256:	9C29E390F06C46591C69B558924E2A4DBD91D254F537452F5CA9FD9D91636299
SHA-512:	C2BB8E4E939D0E5D52787AFE85B60E9833CD9672AE13E1413954CBAE8006E7388E2DADBA4E6CF29FAEF465F75C1669280754C4AA6DABB6648B171CB26F25B34B
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I>YC_....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YO_....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YO_....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YO_..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............[W.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 10:58:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.994672743190102
Encrypted:	false
SSDEEP:	48:8QdaTm2dHIWidAKZdA1TehDiZUkwqehAy+R:85rmxKy
MD5:	4CABB4E601C2FA72F6C960ACCAACB933
SHA1:	BC038DA72CB50AA313902FCF611F2F3F5474EE75
SHA-256:	7F3C17FD7C6EF435B998C71E33AC832DCC9F08BFFB41AAF2B8F29D0A7BBB8EEF
SHA-512:	2B607E9FDB9D4111645A6F2F3E0C9DF75DD6C9B8DD070FCD0331BAFC055167D63FB2758A75484FCE37DD667B1FCC538B47E3321BA9853D67342C8D4856691530
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......0...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I>YC_....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YO_....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YO_....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YO_..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YP_...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............[W.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 10:58:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9818826174685817
Encrypted:	false
SSDEEP:	48:8rdaTm2dHIWidAKZdA1dehBiZUk1W1qehWy+C:8Urmx92y
MD5:	6F812F61C2277E7EC851CA6541068D49
SHA1:	BF2973718125765EF2D5350E4C8DA82B313B143C
SHA-256:	DF25ACA42751594FDBDA7A35616A1593BA327580B0982454DF20DFE3DAC1DD27
SHA-512:	F383E0AA510CE63FE0FE837D4313DF60E2D6B63B0E52930A0387DDC182E45D8E9942E8F048AEC3A6626A4345C40AD1EE46911FB7E142AE0B2FE8AFEF187E6AA7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....h..0...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I>YC_....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YO_....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YO_....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YO_..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YP_...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............[W.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 10:58:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.992180480844607
Encrypted:	false
SSDEEP:	48:83daTm2dHIWidAKZdA1duTeehOuTbbiZUk5OjqehOuTboy+yT+:8IrmZTfTbxWOvTboy7T
MD5:	DB166787AA6DB6823AA9F9668CA0F3AB
SHA1:	4229D1B1C27D93D584919D5348A955D2710FF138
SHA-256:	E72D68215D22D99867190B918C2877344EE9EDD0F47E863673D9503B7455ED1C
SHA-512:	5A0694D8AE5BD4D608C0F85D30E7A6C029C40530C74F67E2DD82F26F830B8A4FF0EA03AD00182EB013B7DC3891607B2700A28749FC8BAF4371449DD32491D10E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........0...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I>YC_....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YO_....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YO_....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YO_..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YP_...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............[W.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 13:58:25.300719023 CEST	49673	443	192.168.2.16	204.79.197.203
Sep 30, 2024 13:58:25.612941027 CEST	49673	443	192.168.2.16	204.79.197.203
Sep 30, 2024 13:58:26.216702938 CEST	49673	443	192.168.2.16	204.79.197.203
Sep 30, 2024 13:58:27.430700064 CEST	49673	443	192.168.2.16	204.79.197.203
Sep 30, 2024 13:58:28.662712097 CEST	49689	80	192.168.2.16	192.229.211.108
Sep 30, 2024 13:58:29.830868006 CEST	49673	443	192.168.2.16	204.79.197.203
Sep 30, 2024 13:58:31.546874046 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:31.546907902 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:31.546991110 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:31.548283100 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:31.548302889 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.192861080 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.192992926 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.197663069 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.197674036 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.198069096 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.225497007 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.267402887 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.498153925 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.498239040 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.498295069 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.498334885 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.498358965 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.498375893 CEST	49710	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.498383045 CEST	443	49710	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.521363974 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.521397114 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:32.521476030 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.521723032 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:32.521733999 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.155829906 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.155930042 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:33.157088041 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:33.157094955 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.157331944 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.158354044 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:33.199404955 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.431150913 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.431225061 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.431458950 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:33.431770086 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:33.431793928 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.431807041 CEST	49712	443	192.168.2.16	184.28.90.27
Sep 30, 2024 13:58:33.431813002 CEST	443	49712	184.28.90.27	192.168.2.16
Sep 30, 2024 13:58:33.460055113 CEST	49678	443	192.168.2.16	20.189.173.10
Sep 30, 2024 13:58:33.760736942 CEST	49678	443	192.168.2.16	20.189.173.10
Sep 30, 2024 13:58:34.334547997 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:34.334589958 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:34.334657907 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:34.334948063 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:34.334965944 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:34.365751982 CEST	49678	443	192.168.2.16	20.189.173.10
Sep 30, 2024 13:58:34.633752108 CEST	49673	443	192.168.2.16	204.79.197.203
Sep 30, 2024 13:58:34.730257034 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:34.730307102 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:34.730417967 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:34.732420921 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:34.732439995 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:35.094446898 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:35.094940901 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:35.094980955 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:35.096472025 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:35.096597910 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:35.102524042 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:35.102654934 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:35.144783974 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:35.144798994 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:35.192753077 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:35.546175003 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:35.546274900 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:35.549040079 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:35.549067974 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:35.549355030 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:35.576764107 CEST	49678	443	192.168.2.16	20.189.173.10
Sep 30, 2024 13:58:35.592767954 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:35.608249903 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:35.651396036 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085449934 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085479021 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085486889 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085495949 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085539103 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085556030 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:36.085570097 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085608006 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:36.085616112 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085634947 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:36.085680008 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:36.085711002 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:36.085740089 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:36.159317017 CEST	49714	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:58:36.159344912 CEST	443	49714	4.175.87.197	192.168.2.16
Sep 30, 2024 13:58:37.413399935 CEST	58481	53	192.168.2.16	1.1.1.1
Sep 30, 2024 13:58:37.418267012 CEST	53	58481	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:37.418437004 CEST	58481	53	192.168.2.16	1.1.1.1
Sep 30, 2024 13:58:37.423194885 CEST	53	58481	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:37.894160032 CEST	58481	53	192.168.2.16	1.1.1.1
Sep 30, 2024 13:58:37.899257898 CEST	53	58481	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:37.899334908 CEST	58481	53	192.168.2.16	1.1.1.1
Sep 30, 2024 13:58:37.931898117 CEST	49680	80	192.168.2.16	192.229.211.108
Sep 30, 2024 13:58:37.979762077 CEST	49678	443	192.168.2.16	20.189.173.10
Sep 30, 2024 13:58:38.234767914 CEST	49680	80	192.168.2.16	192.229.211.108
Sep 30, 2024 13:58:38.841979980 CEST	49680	80	192.168.2.16	192.229.211.108
Sep 30, 2024 13:58:40.056767941 CEST	49680	80	192.168.2.16	192.229.211.108
Sep 30, 2024 13:58:42.465745926 CEST	49680	80	192.168.2.16	192.229.211.108
Sep 30, 2024 13:58:42.784759998 CEST	49678	443	192.168.2.16	20.189.173.10
Sep 30, 2024 13:58:44.235816956 CEST	49673	443	192.168.2.16	204.79.197.203
Sep 30, 2024 13:58:44.882586956 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:44.882654905 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:44.882824898 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:45.739753008 CEST	49713	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:58:45.739790916 CEST	443	49713	142.250.184.196	192.168.2.16
Sep 30, 2024 13:58:47.266858101 CEST	49680	80	192.168.2.16	192.229.211.108
Sep 30, 2024 13:58:52.389820099 CEST	49678	443	192.168.2.16	20.189.173.10
Sep 30, 2024 13:58:56.866817951 CEST	49680	80	192.168.2.16	192.229.211.108
Sep 30, 2024 13:59:14.074599981 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:14.074635983 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:14.074736118 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:14.075093985 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:14.075108051 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:14.859965086 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:14.860081911 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:14.861454010 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:14.861466885 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:14.861731052 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:14.863287926 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:14.907401085 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.194922924 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.194945097 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.194962025 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.195050001 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:15.195066929 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.195107937 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:15.195403099 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.195439100 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.195467949 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:15.195472956 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.195502996 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:15.196197033 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.196244955 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:15.197973967 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:15.197989941 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.198000908 CEST	58482	443	192.168.2.16	4.175.87.197
Sep 30, 2024 13:59:15.198005915 CEST	443	58482	4.175.87.197	192.168.2.16
Sep 30, 2024 13:59:15.482075930 CEST	49698	80	192.168.2.16	88.221.110.91
Sep 30, 2024 13:59:15.482122898 CEST	49700	80	192.168.2.16	88.221.110.91
Sep 30, 2024 13:59:15.488043070 CEST	80	49698	88.221.110.91	192.168.2.16
Sep 30, 2024 13:59:15.488104105 CEST	49698	80	192.168.2.16	88.221.110.91
Sep 30, 2024 13:59:15.488179922 CEST	80	49700	88.221.110.91	192.168.2.16
Sep 30, 2024 13:59:15.488229036 CEST	49700	80	192.168.2.16	88.221.110.91
Sep 30, 2024 13:59:34.383961916 CEST	58484	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:59:34.384002924 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 13:59:34.384102106 CEST	58484	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:59:34.384350061 CEST	58484	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:59:34.384366989 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 13:59:35.238311052 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 13:59:35.238714933 CEST	58484	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:59:35.238740921 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 13:59:35.239207983 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 13:59:35.239548922 CEST	58484	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:59:35.239633083 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 13:59:35.292912006 CEST	58484	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:59:45.144432068 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 13:59:45.144500971 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 13:59:45.144558907 CEST	58484	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:59:45.741632938 CEST	58484	443	192.168.2.16	142.250.184.196
Sep 30, 2024 13:59:45.741662979 CEST	443	58484	142.250.184.196	192.168.2.16
Sep 30, 2024 14:00:04.034097910 CEST	49699	80	192.168.2.16	192.229.221.95
Sep 30, 2024 14:00:04.039401054 CEST	80	49699	192.229.221.95	192.168.2.16
Sep 30, 2024 14:00:04.039505005 CEST	49699	80	192.168.2.16	192.229.221.95
Sep 30, 2024 14:00:34.465986013 CEST	58486	443	192.168.2.16	172.217.18.100
Sep 30, 2024 14:00:34.466103077 CEST	443	58486	172.217.18.100	192.168.2.16
Sep 30, 2024 14:00:34.466193914 CEST	58486	443	192.168.2.16	172.217.18.100
Sep 30, 2024 14:00:34.466433048 CEST	58486	443	192.168.2.16	172.217.18.100
Sep 30, 2024 14:00:34.466464043 CEST	443	58486	172.217.18.100	192.168.2.16
Sep 30, 2024 14:00:35.114350080 CEST	443	58486	172.217.18.100	192.168.2.16
Sep 30, 2024 14:00:35.114742994 CEST	58486	443	192.168.2.16	172.217.18.100
Sep 30, 2024 14:00:35.114825964 CEST	443	58486	172.217.18.100	192.168.2.16
Sep 30, 2024 14:00:35.115174055 CEST	443	58486	172.217.18.100	192.168.2.16
Sep 30, 2024 14:00:35.115478039 CEST	58486	443	192.168.2.16	172.217.18.100
Sep 30, 2024 14:00:35.115552902 CEST	443	58486	172.217.18.100	192.168.2.16
Sep 30, 2024 14:00:35.159037113 CEST	58486	443	192.168.2.16	172.217.18.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 13:58:29.524137974 CEST	53	55846	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:29.570290089 CEST	53	57184	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:30.340262890 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:30.543580055 CEST	53	61928	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:31.104860067 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:31.865865946 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:32.654856920 CEST	52297	53	192.168.2.16	8.8.8.8
Sep 30, 2024 13:58:32.655407906 CEST	61229	53	192.168.2.16	1.1.1.1
Sep 30, 2024 13:58:32.665123940 CEST	53	52297	8.8.8.8	192.168.2.16
Sep 30, 2024 13:58:32.667448044 CEST	53	61229	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:33.702589035 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:34.326041937 CEST	59965	53	192.168.2.16	1.1.1.1
Sep 30, 2024 13:58:34.326338053 CEST	54860	53	192.168.2.16	1.1.1.1
Sep 30, 2024 13:58:34.332885981 CEST	53	59965	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:34.333292007 CEST	53	54860	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:34.460896969 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:35.224867105 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:37.412938118 CEST	53	53233	1.1.1.1	192.168.2.16
Sep 30, 2024 13:58:41.006613970 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:41.765125990 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:42.529844999 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:58:47.440638065 CEST	53	55621	1.1.1.1	192.168.2.16
Sep 30, 2024 13:59:06.517646074 CEST	53	62085	1.1.1.1	192.168.2.16
Sep 30, 2024 13:59:13.318995953 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:59:14.078948021 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:59:14.829986095 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 13:59:29.526257038 CEST	53	53545	1.1.1.1	192.168.2.16
Sep 30, 2024 13:59:29.587233067 CEST	53	63621	1.1.1.1	192.168.2.16
Sep 30, 2024 13:59:29.633698940 CEST	138	138	192.168.2.16	192.168.2.255
Sep 30, 2024 13:59:57.372333050 CEST	53	50509	1.1.1.1	192.168.2.16
Sep 30, 2024 14:00:15.607250929 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 14:00:16.365092039 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 14:00:17.116336107 CEST	137	137	192.168.2.16	192.168.2.255
Sep 30, 2024 14:00:34.458327055 CEST	50121	53	192.168.2.16	1.1.1.1
Sep 30, 2024 14:00:34.458411932 CEST	54973	53	192.168.2.16	1.1.1.1
Sep 30, 2024 14:00:34.465195894 CEST	53	50121	1.1.1.1	192.168.2.16
Sep 30, 2024 14:00:34.465385914 CEST	53	54973	1.1.1.1	192.168.2.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 13:58:32.654856920 CEST	192.168.2.16	8.8.8.8	0xea78	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 13:58:32.655407906 CEST	192.168.2.16	1.1.1.1	0xdccb	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 13:58:34.326041937 CEST	192.168.2.16	1.1.1.1	0x2ec	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 13:58:34.326338053 CEST	192.168.2.16	1.1.1.1	0x22f9	Standard query (0)	www.google.com	65	IN (0x0001)	false
Sep 30, 2024 14:00:34.458327055 CEST	192.168.2.16	1.1.1.1	0x56d0	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:00:34.458411932 CEST	192.168.2.16	1.1.1.1	0x8188	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 13:58:32.665123940 CEST	8.8.8.8	192.168.2.16	0xea78	No error (0)	google.com	142.250.184.206	A (IP address)	IN (0x0001)	false
Sep 30, 2024 13:58:32.667448044 CEST	1.1.1.1	192.168.2.16	0xdccb	No error (0)	google.com	172.217.16.142	A (IP address)	IN (0x0001)	false
Sep 30, 2024 13:58:34.332885981 CEST	1.1.1.1	192.168.2.16	0x2ec	No error (0)	www.google.com	142.250.184.196	A (IP address)	IN (0x0001)	false
Sep 30, 2024 13:58:34.333292007 CEST	1.1.1.1	192.168.2.16	0x22f9	No error (0)	www.google.com		65	IN (0x0001)	false
Sep 30, 2024 14:00:34.465195894 CEST	1.1.1.1	192.168.2.16	0x56d0	No error (0)	www.google.com	172.217.18.100	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:00:34.465385914 CEST	1.1.1.1	192.168.2.16	0x8188	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.16	49710	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 11:58:32 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-30 11:58:32 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF67) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=17245 Date: Mon, 30 Sep 2024 11:58:32 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.16	49712	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 11:58:33 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-30 11:58:33 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25982 Date: Mon, 30 Sep 2024 11:58:33 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-30 11:58:33 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49714	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 11:58:35 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9n35bKXho4cAs5m&MD=CaChf6yH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-30 11:58:36 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 4c08e089-a0ea-4280-a34d-63988185060c MS-RequestId: 841e7c46-e699-43b8-aa85-9c430b1fc49f MS-CV: 5Jm+DDzX50y9JDa4.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Sep 2024 11:58:35 GMT Connection: close Content-Length: 24490
2024-09-30 11:58:36 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-30 11:58:36 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.16	58482	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 11:59:14 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9n35bKXho4cAs5m&MD=CaChf6yH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-30 11:59:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 78f15d76-4df4-4d57-a746-99fc59e900ab MS-RequestId: 2d1f7731-92f7-4f85-88f0-9024589dc640 MS-CV: nPjNiB+0tESowxRk.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Sep 2024 11:59:14 GMT Connection: close Content-Length: 30005
2024-09-30 11:59:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-30 11:59:15 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 7032, Parent PID: 2084

General

Target ID:	0
Start time:	07:58:28
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6352, Parent PID: 7032

General

Target ID:	1
Start time:	07:58:28
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1948,i,12221023580529806588,14764156999437065076,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 2392, Parent PID: 2084

General

Target ID:	2
Start time:	07:58:29
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://https:/atpscan.global.hornetsecurity.com?d=r7jv6mGLSFUWnAoVoWKJDiF7kKGt3Fw5kKbn5s5sfcpNyTRbK79Zci2IH8Nl2g5X&f=qvzVe-8YAX4Dy6XefosXpr9xe6cUPxuD05v5wTHFNiMjrMs6M0fDbIikzhduev0q&i=&k=3x5s&m=iAkhIt0HvpR1Oh2_h6Q0O4Hzfyk0g3SV3EvnL7Z4VUDMO-lWq1KA94UsI2rIZoVyTUZY62kGnDiHyWJGH-7ewwHTHsNEmZuBPXaeTQvRVKfNDkV8Z7LfIWxRCCZdooZC&n=ZEhYBDFv208HJKEkNw5PqFObkm08aq7YeFB_fsGRbHtm2gx4mSx3JSwYkGZ1WU18bxwJPkfxXGKYv_KHdz1U8g&r=jfqeskceaKp8lH_i6JGe3T3xyBa6G7cbOCXOc4EPK3XMqLBHJqWBZEP0B9-qih8i&s=7226c2d05f1feec1a62ae2af2728e02cdefac54ea37a3a7665785b4a5864d360&u=https3A2F2Fpitstop.powellind.com2Fxfer2Fbhub.cgi3Fact3Ddirect_download_file26package_id3Dpowelldocmanager2540powellind252Ecom255FO8FN5TMSR40O4R6VOBEQREUV8626file_name3Dpowelldocmanager2540powellind252Ecom255FO8FN5TMSR40O4R6VOBEQREUV86252Ezip26username3Ddlarue2540schmidt252Delectric252Ecom26direct_token3DB175D31C2AE80D9A572ED101DA29F43826file_type*3Dzip__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PsRMz_liT-2f!lyFBpyvRN69uTi9lGXPBKy-XSt-kz0C0JEORrqM8dMdi_IxvE9r1JFw4LyvspGoo--E3uM-bmu0c26FxoQqF$%3E"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 7032, Parent PID: 2084

General

Chronological Activities

Analysis Process: chrome.exePID: 6352, Parent PID: 7032

General

Chronological Activities

Analysis Process: chrome.exePID: 2392, Parent PID: 2084

General

Chronological Activities

Disassembly