Edit tour

Windows Analysis Report
http://fms.eciableth.com

Overview

General Information

Sample URL:	http://fms.eciableth.com
Analysis ID:	1522766
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5800 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 --field-trial-handle=2384,i,14674231627632601444,12975657766578784345,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6424 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://fms.eciableth.com" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: POST /report/v4?s=6aO9m4H1QOq3grGkMs7InD%2BZmxq3IEGp%2FrlPooCH7cB%2BEwP49PLcTGcvtdeeWtnufY4FA%2BwJONYoyxj7wUPSIyo3HmEmYNFluPfay89k9ykUYAyLU4eLD%2BY204gBGw%3D%3D HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 388Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 14:28:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6aO9m4H1QOq3grGkMs7InD%2BZmxq3IEGp%2FrlPooCH7cB%2BEwP49PLcTGcvtdeeWtnufY4FA%2BwJONYoyxj7wUPSIyo3HmEmYNFluPfay89k9ykUYAyLU4eLD%2BY204gBGw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Speculation-Rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 8cb4e63b6af817a5-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 14:28:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DYTYCivZn1VZSutNqAs6Z4JzM1704EgVKAsvKSUgUhzyuO6k%2FXM0jP5ltSAS%2BaJXB%2Fxy69AnXQdEpRloJ%2FyQuyh2OMZeZnEf1aay0icY73CjoQcP4YQh30Qq7rBCuw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingSpeculation-Rules: "/cdn-cgi/speculation"CF-Cache-Status: MISSServer: cloudflareCF-RAY: 8cb4e6461ff98cdd-EWR

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@17/2@8/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 --field-trial-handle=2384,i,14674231627632601444,12975657766578784345,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://fms.eciableth.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 --field-trial-handle=2384,i,14674231627632601444,12975657766578784345,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
a.nel.cloudflare.com	35.190.80.1	true	false	unknown
fms.eciableth.com	172.67.146.250	true	false	unknown
www.google.com	216.58.206.36	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://a.nel.cloudflare.com/report/v4?s=6aO9m4H1QOq3grGkMs7InD%2BZmxq3IEGp%2FrlPooCH7cB%2BEwP49PLcTGcvtdeeWtnufY4FA%2BwJONYoyxj7wUPSIyo3HmEmYNFluPfay89k9ykUYAyLU4eLD%2BY204gBGw%3D%3D	false	unknown
https://a.nel.cloudflare.com/report/v4?s=DYTYCivZn1VZSutNqAs6Z4JzM1704EgVKAsvKSUgUhzyuO6k%2FXM0jP5ltSAS%2BaJXB%2Fxy69AnXQdEpRloJ%2FyQuyh2OMZeZnEf1aay0icY73CjoQcP4YQh30Qq7rBCuw%3D%3D	false	unknown
https://fms.eciableth.com/favicon.ico	false	unknown
https://fms.eciableth.com/	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.95.187	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522766
Start date and time:	2024-09-30 16:27:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://fms.eciableth.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@17/2@8/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.168.84, 172.217.18.3, 172.217.16.142, 34.104.35.123, 13.85.23.86, 93.184.221.240, 20.242.39.171, 192.229.221.95, 40.69.42.241, 172.217.18.99
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: http://fms.eciableth.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 41

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	548
Entropy (8bit):	4.688532577858027
Encrypted:	false
SSDEEP:	12:TjeRHVIdtklI5r8INGlTF5TF5TF5TF5TF5TFK:neRH68DTPTPTPTPTPTc
MD5:	370E16C3B7DBA286CFF055F93B9A94D8
SHA1:	65F3537C3C798F7DA146C55AEF536F7B5D0CB943
SHA-256:	D465172175D35D493FB1633E237700022BD849FA123164790B168B8318ACB090
SHA-512:	75CD6A0AC7D6081D35140ABBEA018D1A2608DD936E2E21F61BF69E063F6FA16DD31C62392F5703D7A7C828EE3D4ECC838E73BFF029A98CED8986ACB5C8364966
Malicious:	false
Reputation:	low
URL:	https://fms.eciableth.com/
Preview:	<html>..<head><title>404 Not Found</title></head>..<body>..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 16:28:23.248956919 CEST	49675	443	192.168.2.4	173.222.162.32
Sep 30, 2024 16:28:24.425172091 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.425237894 CEST	443	49735	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.425431967 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.425744057 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.425761938 CEST	443	49735	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.918869019 CEST	443	49735	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.919146061 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.919178009 CEST	443	49735	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.920233011 CEST	443	49735	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.920289040 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.921519041 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.921586037 CEST	443	49735	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.921622038 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.921734095 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.921746016 CEST	443	49735	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.921757936 CEST	443	49735	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.921761990 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.921813011 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.921824932 CEST	49735	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.922241926 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.922278881 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:24.922339916 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.922555923 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:24.922565937 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.398154020 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.447222948 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:25.447243929 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.448497057 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.448554993 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:25.449887991 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:25.449887991 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:25.449898958 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.449954987 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.503268003 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:25.503284931 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.557805061 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:25.947742939 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.947838068 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.947906017 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:25.959408998 CEST	49736	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:25.959424019 CEST	443	49736	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:25.967961073 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:25.968008995 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:25.968099117 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:25.970200062 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:25.970211029 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.170618057 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.170679092 CEST	443	49740	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:26.170753956 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.171581984 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.171595097 CEST	443	49740	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:26.428730965 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.429258108 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.429294109 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.430381060 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.430448055 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.432077885 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.432173014 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.432331085 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.432341099 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.463778019 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:26.463879108 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:26.463962078 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:26.464601994 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:26.464621067 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:26.481236935 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.566730022 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.567233086 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.567285061 CEST	443	49739	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.567336082 CEST	49739	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.568653107 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.568696022 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.568753004 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.569575071 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:26.569585085 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:26.625104904 CEST	443	49740	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:26.634001970 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.634021044 CEST	443	49740	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:26.635190010 CEST	443	49740	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:26.635490894 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.635936022 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.636007071 CEST	443	49740	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:26.636020899 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.636020899 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.636194944 CEST	49740	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.639269114 CEST	49743	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.639303923 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:26.644382000 CEST	49743	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.665267944 CEST	49743	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:26.665290117 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:27.024876118 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.029241085 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.029254913 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.030489922 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.030607939 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.030940056 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.031023026 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.032258034 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.079400063 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.083266020 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.083276033 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.120276928 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:27.121227980 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:27.121294975 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:27.122478962 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:27.122778893 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:27.123671055 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:27.123989105 CEST	49743	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:27.124002934 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:27.124345064 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:27.125709057 CEST	49743	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:27.125776052 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:27.127614021 CEST	49743	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:27.127614021 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.158044100 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.158126116 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.158644915 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.158677101 CEST	443	49742	35.190.80.1	192.168.2.4
Sep 30, 2024 16:28:27.158695936 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.158910036 CEST	49742	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:28:27.171394110 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:27.445658922 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:27.446072102 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:27.492624998 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:27.492652893 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:27.540770054 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:27.725374937 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:27.725452900 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:27.725497961 CEST	49743	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:28.179361105 CEST	49743	443	192.168.2.4	104.21.95.187
Sep 30, 2024 16:28:28.179408073 CEST	443	49743	104.21.95.187	192.168.2.4
Sep 30, 2024 16:28:28.706144094 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:28.706172943 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:28.706242085 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:28.712491035 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:28.712501049 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.356232882 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.356332064 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.362710953 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.362721920 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.363040924 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.528069973 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.635812998 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.679409981 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.826771021 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.826841116 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.826948881 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.827080011 CEST	49744	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.827097893 CEST	443	49744	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.877902985 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.877948999 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:29.878050089 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.878823042 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:29.878840923 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:30.521745920 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:30.521823883 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:30.523436069 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:30.523449898 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:30.523694992 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:30.524869919 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:30.567404032 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:30.807224989 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:30.807302952 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:30.807437897 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:30.808665991 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:30.808691025 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:30.808705091 CEST	49745	443	192.168.2.4	184.28.90.27
Sep 30, 2024 16:28:30.808711052 CEST	443	49745	184.28.90.27	192.168.2.4
Sep 30, 2024 16:28:37.020893097 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:37.021056890 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:37.021130085 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:37.398713112 CEST	49741	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:28:37.398761034 CEST	443	49741	216.58.206.36	192.168.2.4
Sep 30, 2024 16:28:39.684968948 CEST	49723	80	192.168.2.4	88.221.110.91
Sep 30, 2024 16:28:39.690542936 CEST	80	49723	88.221.110.91	192.168.2.4
Sep 30, 2024 16:28:39.690588951 CEST	49723	80	192.168.2.4	88.221.110.91
Sep 30, 2024 16:29:25.969316006 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:25.969376087 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:25.973793030 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:25.973793030 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:25.973854065 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.457299948 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.457772017 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.457819939 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.458182096 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.459688902 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.459770918 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.460150957 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.503407955 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.512973070 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.523719072 CEST	49755	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:29:26.523765087 CEST	443	49755	216.58.206.36	192.168.2.4
Sep 30, 2024 16:29:26.524250984 CEST	49755	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:29:26.525296926 CEST	49755	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:29:26.525309086 CEST	443	49755	216.58.206.36	192.168.2.4
Sep 30, 2024 16:29:26.588390112 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.588745117 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.588908911 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.589171886 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.589195013 CEST	443	49754	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.589230061 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.589297056 CEST	49754	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.593282938 CEST	49756	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.593318939 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:26.599221945 CEST	49756	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.601412058 CEST	49756	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:26.601423025 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:27.075038910 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:27.075927019 CEST	49756	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:27.075952053 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:27.076328039 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:27.077285051 CEST	49756	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:27.077354908 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:27.077445984 CEST	49756	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:27.123404980 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:27.155903101 CEST	443	49755	216.58.206.36	192.168.2.4
Sep 30, 2024 16:29:27.156559944 CEST	49755	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:29:27.156585932 CEST	443	49755	216.58.206.36	192.168.2.4
Sep 30, 2024 16:29:27.156985044 CEST	443	49755	216.58.206.36	192.168.2.4
Sep 30, 2024 16:29:27.158179045 CEST	49755	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:29:27.158283949 CEST	443	49755	216.58.206.36	192.168.2.4
Sep 30, 2024 16:29:27.200463057 CEST	49755	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:29:27.207068920 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:27.207160950 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:27.207283020 CEST	49756	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:27.225625038 CEST	49756	443	192.168.2.4	35.190.80.1
Sep 30, 2024 16:29:27.225672007 CEST	443	49756	35.190.80.1	192.168.2.4
Sep 30, 2024 16:29:37.064857006 CEST	443	49755	216.58.206.36	192.168.2.4
Sep 30, 2024 16:29:37.064939022 CEST	443	49755	216.58.206.36	192.168.2.4
Sep 30, 2024 16:29:37.065016031 CEST	49755	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:29:37.365370035 CEST	49755	443	192.168.2.4	216.58.206.36
Sep 30, 2024 16:29:37.365411043 CEST	443	49755	216.58.206.36	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 16:28:22.583153009 CEST	53	49929	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:22.584619999 CEST	53	54853	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:23.727914095 CEST	53	52421	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:24.339237928 CEST	52325	53	192.168.2.4	1.1.1.1
Sep 30, 2024 16:28:24.341373920 CEST	56180	53	192.168.2.4	1.1.1.1
Sep 30, 2024 16:28:24.381747961 CEST	53	56180	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:24.384721994 CEST	63653	53	192.168.2.4	1.1.1.1
Sep 30, 2024 16:28:24.384859085 CEST	50164	53	192.168.2.4	1.1.1.1
Sep 30, 2024 16:28:24.388101101 CEST	53	52325	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:24.403676033 CEST	53	50164	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:24.424595118 CEST	53	63653	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:25.954225063 CEST	54513	53	192.168.2.4	1.1.1.1
Sep 30, 2024 16:28:25.955260992 CEST	52368	53	192.168.2.4	1.1.1.1
Sep 30, 2024 16:28:25.961456060 CEST	53	54513	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:25.963116884 CEST	53	52368	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:26.452980042 CEST	50523	53	192.168.2.4	1.1.1.1
Sep 30, 2024 16:28:26.453830004 CEST	54140	53	192.168.2.4	1.1.1.1
Sep 30, 2024 16:28:26.460808992 CEST	53	50523	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:26.461101055 CEST	53	54140	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:40.098867893 CEST	138	138	192.168.2.4	192.168.2.255
Sep 30, 2024 16:28:40.867216110 CEST	53	50060	1.1.1.1	192.168.2.4
Sep 30, 2024 16:28:59.824035883 CEST	53	51852	1.1.1.1	192.168.2.4
Sep 30, 2024 16:29:22.432070017 CEST	53	57253	1.1.1.1	192.168.2.4
Sep 30, 2024 16:29:22.589225054 CEST	53	63677	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Sep 30, 2024 16:28:24.388164043 CEST	192.168.2.4	1.1.1.1	c207	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 16:28:24.339237928 CEST	192.168.2.4	1.1.1.1	0x7862	Standard query (0)	fms.eciableth.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:24.341373920 CEST	192.168.2.4	1.1.1.1	0xce43	Standard query (0)	fms.eciableth.com	65	IN (0x0001)	false
Sep 30, 2024 16:28:24.384721994 CEST	192.168.2.4	1.1.1.1	0xa6dc	Standard query (0)	fms.eciableth.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:24.384859085 CEST	192.168.2.4	1.1.1.1	0xf9ad	Standard query (0)	fms.eciableth.com	65	IN (0x0001)	false
Sep 30, 2024 16:28:25.954225063 CEST	192.168.2.4	1.1.1.1	0x746d	Standard query (0)	a.nel.cloudflare.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:25.955260992 CEST	192.168.2.4	1.1.1.1	0x3460	Standard query (0)	a.nel.cloudflare.com	65	IN (0x0001)	false
Sep 30, 2024 16:28:26.452980042 CEST	192.168.2.4	1.1.1.1	0xbc46	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:26.453830004 CEST	192.168.2.4	1.1.1.1	0x5dde	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 16:28:24.381747961 CEST	1.1.1.1	192.168.2.4	0xce43	No error (0)	fms.eciableth.com			65	IN (0x0001)	false
Sep 30, 2024 16:28:24.388101101 CEST	1.1.1.1	192.168.2.4	0x7862	No error (0)	fms.eciableth.com		172.67.146.250	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:24.388101101 CEST	1.1.1.1	192.168.2.4	0x7862	No error (0)	fms.eciableth.com		104.21.95.187	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:24.403676033 CEST	1.1.1.1	192.168.2.4	0xf9ad	No error (0)	fms.eciableth.com			65	IN (0x0001)	false
Sep 30, 2024 16:28:24.424595118 CEST	1.1.1.1	192.168.2.4	0xa6dc	No error (0)	fms.eciableth.com		104.21.95.187	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:24.424595118 CEST	1.1.1.1	192.168.2.4	0xa6dc	No error (0)	fms.eciableth.com		172.67.146.250	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:25.961456060 CEST	1.1.1.1	192.168.2.4	0x746d	No error (0)	a.nel.cloudflare.com		35.190.80.1	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:26.460808992 CEST	1.1.1.1	192.168.2.4	0xbc46	No error (0)	www.google.com		216.58.206.36	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:26.461101055 CEST	1.1.1.1	192.168.2.4	0x5dde	No error (0)	www.google.com			65	IN (0x0001)	false
Sep 30, 2024 16:28:40.372680902 CEST	1.1.1.1	192.168.2.4	0xe85a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 16:28:40.372680902 CEST	1.1.1.1	192.168.2.4	0xe85a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:28:55.978466988 CEST	1.1.1.1	192.168.2.4	0x7e7e	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 16:28:55.978466988 CEST	1.1.1.1	192.168.2.4	0x7e7e	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:29:14.927743912 CEST	1.1.1.1	192.168.2.4	0x7aae	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 16:29:14.927743912 CEST	1.1.1.1	192.168.2.4	0x7aae	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:29:35.570763111 CEST	1.1.1.1	192.168.2.4	0x6806	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 16:29:35.570763111 CEST	1.1.1.1	192.168.2.4	0x6806	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fms.eciableth.com

a.nel.cloudflare.com

https:

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	104.21.95.187	443	5040	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 14:28:25 UTC	660	OUT	GET / HTTP/1.1 Host: fms.eciableth.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 14:28:25 UTC	581	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 14:28:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6aO9m4H1QOq3grGkMs7InD%2BZmxq3IEGp%2FrlPooCH7cB%2BEwP49PLcTGcvtdeeWtnufY4FA%2BwJONYoyxj7wUPSIyo3HmEmYNFluPfay89k9ykUYAyLU4eLD%2BY204gBGw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cb4e63b6af817a5-EWR
2024-09-30 14:28:25 UTC	555	IN	Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Ch
2024-09-30 14:28:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	35.190.80.1	443	5040	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 14:28:26 UTC	540	OUT	OPTIONS /report/v4?s=6aO9m4H1QOq3grGkMs7InD%2BZmxq3IEGp%2FrlPooCH7cB%2BEwP49PLcTGcvtdeeWtnufY4FA%2BwJONYoyxj7wUPSIyo3HmEmYNFluPfay89k9ykUYAyLU4eLD%2BY204gBGw%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://fms.eciableth.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 14:28:26 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-type, content-length date: Mon, 30 Sep 2024 14:28:26 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	35.190.80.1	443	5040	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 14:28:27 UTC	480	OUT	POST /report/v4?s=6aO9m4H1QOq3grGkMs7InD%2BZmxq3IEGp%2FrlPooCH7cB%2BEwP49PLcTGcvtdeeWtnufY4FA%2BwJONYoyxj7wUPSIyo3HmEmYNFluPfay89k9ykUYAyLU4eLD%2BY204gBGw%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 388 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 14:28:27 UTC	388	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 31 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 31 35 36 35 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 30 34 2e 32 31 2e 39 35 2e 31 38 37 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 34 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 6d 73 2e 65 63 69 61 62 6c 65 74 68 2e 63 Data Ascii: [{"age":1,"body":{"elapsed_time":1565,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"104.21.95.187","status_code":404,"type":"http.error"},"type":"network-error","url":"https://fms.eciableth.c
2024-09-30 14:28:27 UTC	168	IN	HTTP/1.1 200 OK Content-Length: 0 date: Mon, 30 Sep 2024 14:28:27 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	104.21.95.187	443	5040	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 14:28:27 UTC	590	OUT	GET /favicon.ico HTTP/1.1 Host: fms.eciableth.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://fms.eciableth.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 14:28:27 UTC	644	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 14:28:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=14400 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DYTYCivZn1VZSutNqAs6Z4JzM1704EgVKAsvKSUgUhzyuO6k%2FXM0jP5ltSAS%2BaJXB%2Fxy69AnXQdEpRloJ%2FyQuyh2OMZeZnEf1aay0icY73CjoQcP4YQh30Qq7rBCuw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Speculation-Rules: "/cdn-cgi/speculation" CF-Cache-Status: MISS Server: cloudflare CF-RAY: 8cb4e6461ff98cdd-EWR
2024-09-30 14:28:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 14:28:29 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-30 14:28:29 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25923 Date: Mon, 30 Sep 2024 14:28:29 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 14:28:30 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-30 14:28:30 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=26006 Date: Mon, 30 Sep 2024 14:28:30 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-30 14:28:30 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49754	35.190.80.1	443	5040	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 14:29:26 UTC	538	OUT	OPTIONS /report/v4?s=DYTYCivZn1VZSutNqAs6Z4JzM1704EgVKAsvKSUgUhzyuO6k%2FXM0jP5ltSAS%2BaJXB%2Fxy69AnXQdEpRloJ%2FyQuyh2OMZeZnEf1aay0icY73CjoQcP4YQh30Qq7rBCuw%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://fms.eciableth.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 14:29:26 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-length, content-type date: Mon, 30 Sep 2024 14:29:26 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49756	35.190.80.1	443	5040	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 14:29:27 UTC	478	OUT	POST /report/v4?s=DYTYCivZn1VZSutNqAs6Z4JzM1704EgVKAsvKSUgUhzyuO6k%2FXM0jP5ltSAS%2BaJXB%2Fxy69AnXQdEpRloJ%2FyQuyh2OMZeZnEf1aay0icY73CjoQcP4YQh30Qq7rBCuw%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 429 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 14:29:27 UTC	429	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 35 37 38 36 35 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 31 39 33 32 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 68 74 74 70 73 3a 2f 2f 66 6d 73 2e 65 63 69 61 62 6c 65 74 68 2e 63 6f 6d 2f 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 30 34 2e 32 31 2e 39 35 2e 31 38 37 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 34 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c Data Ascii: [{"age":57865,"body":{"elapsed_time":1932,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"https://fms.eciableth.com/","sampling_fraction":1.0,"server_ip":"104.21.95.187","status_code":404,"type":"http.error"},"type":"network-error",
2024-09-30 14:29:27 UTC	168	IN	HTTP/1.1 200 OK Content-Length: 0 date: Mon, 30 Sep 2024 14:29:27 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5800, Parent PID: 1816

General

Target ID:	0
Start time:	10:28:18
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5040, Parent PID: 5800

General

Target ID:	2
Start time:	10:28:20
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 --field-trial-handle=2384,i,14674231627632601444,12975657766578784345,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6424, Parent PID: 1816

General

Target ID:	3
Start time:	10:28:23
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://fms.eciableth.com"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: fms.eciableth.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: fms.eciableth.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://fms.eciableth.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: fms.eciableth.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://fms.eciableth.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 41

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5800, Parent PID: 1816

General

Chronological Activities

Analysis Process: chrome.exePID: 5040, Parent PID: 5800

General

Chronological Activities

Analysis Process: chrome.exePID: 6424, Parent PID: 1816

General

Chronological Activities

Disassembly

Windows Analysis Report
http://fms.eciableth.com