Edit tour

Windows Analysis Report
https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b

Overview

General Information

Sample URL:	https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has
Analysis ID:	1524244
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Detected non-DNS traffic on DNS port

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6600 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=2052,i,10686121232569316346,15910571144518359988,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 1244 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.10:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49723 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.10:58629 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55

Source: global traffic	HTTP traffic detected: GET /oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f HTTP/1.1Host: busb.co.inConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: busb.co.inConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8fAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: busb.co.in
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Wed, 02 Oct 2024 14:33:44 GMTContent-Type: text/htmlContent-Length: 555Connection: close

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58635
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58635 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.10:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49723 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@16/8@6/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=2052,i,10686121232569316346,15910571144518359988,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=2052,i,10686121232569316346,15910571144518359988,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
busb.co.in	5.45.127.145	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.34	true	false	unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://busb.co.in/favicon.ico	false		unknown
https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.68	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
5.45.127.145	busb.co.in	Estonia	198068	PAGM-ASEE	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.10

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524244
Start date and time:	2024-10-02 16:32:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@16/8@6/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, dllhost.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.131, 74.125.206.84, 142.250.185.206, 34.104.35.123, 13.85.23.86, 217.20.57.34, 52.165.164.15, 88.221.110.91, 2.16.100.168, 13.85.23.206, 40.69.42.241, 20.12.23.50, 20.114.59.183, 142.250.181.227
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, clientservices.googleapis.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:33:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9753724840336466
Encrypted:	false
SSDEEP:	48:8p6bdaLTTAmHwidAKZdA1uehwiZUklqehSy+3:8p9Qa1y
MD5:	DE84CED55A4ED5160A93D3D8057C0E03
SHA1:	D61500F2E51179ADE4F51B32CDB620EDCFF9E4BF
SHA-256:	885E40271A7E9D172984468C7606999E83A4FD47F3E41C13A23A87DC8FE4533C
SHA-512:	E861A7AF2DAB5698571DD423460822838C5B3C991750C3F703AA535587FC238A78F21E903FC18890EC65AD0FEF53892EDD1D5E43B2F8EF0AE348336C6D03D405
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....g..........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY4t....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY4t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY4t....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY4t...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY5t....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........ik.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:33:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9922503992342206
Encrypted:	false
SSDEEP:	48:8m6bdaLTTAmHwidAKZdA1Heh/iZUkAQkqehly+2:8m9QE9Q4y
MD5:	A3CB73CE2CBABC7C32128AFDE2DCE3CA
SHA1:	1717BA2F3F6660C624CF1E4975C5F5512A6CC1FE
SHA-256:	7AF200C4D01EF90FF77091E4A259AEFAAC40A61BEA8BD528F80B1F8111474CB7
SHA-512:	1F855E039AFA1156B4AF612318CF557C61B6C898E425C057E6F98FE319C20D84C42289F9FABDE4FB1E3209871D0B887128001A35B166B91B5697933E39BCF0D7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....7..........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY4t....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY4t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY4t....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY4t...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY5t....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........ik.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 08:59:33 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.002991200991106
Encrypted:	false
SSDEEP:	48:8F6bdaLTTAbHwidAKZdA149eh7sFiZUkmgqeh7sry+BX:8F9Q7npy
MD5:	4FDD563C6836E27EDA9B36E5D33806C2
SHA1:	EA20785BE90A2A1320A51AD17EC66E9D3892457F
SHA-256:	12F41427FD31A1907CE34AD852144DAD956B73DA9B8AC0DFECA3C586C134E040
SHA-512:	01E2D1E9324B462500C249F1666452911894B4F14C323B225356B71F4357406CB5128CDFBF499B80732748A68ACB40F5E852DC5194585A6227570F9064BBDB01
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....K..r.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY4t....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY4t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY4t....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY4t...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VEW.L....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........ik.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:33:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9902535301139186
Encrypted:	false
SSDEEP:	48:8t6bdaLTTAmHwidAKZdA14ehDiZUkwqehRy+R:8t9QfTy
MD5:	7FC22F757FEA4ADA9F39D4C088D57BF9
SHA1:	C191E315AD0298E5B16B33F6B593A8712B76A31E
SHA-256:	DB344B189B1B2E60C136A5E85905F0640A764782D39097615CDDE9208393ABBB
SHA-512:	4F579E976231506B91032AC646EF063F19D9E330818D523D60523C587450FC8DA9E3FC2AB0191580582A9BD6A24BFD1169620B451BAD32D23DFA4DF66A76AAC5
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,................y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY4t....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY4t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY4t....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY4t...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY5t....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........ik.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:33:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.980416507760397
Encrypted:	false
SSDEEP:	48:8r6bdaLTTAmHwidAKZdA1mehBiZUk1W1qehfy+C:8r9QP9/y
MD5:	B194679FC243CAD293F12B8475550DA9
SHA1:	61B5840347F823A01C45E269A119A7F4876E64E0
SHA-256:	9ADA31FC752D4BFBF2F095C03BDEAC7C48D834EBBF5F2C22A40227356E8FDF5D
SHA-512:	9E83D8B5577C6039DD964943A0E2F493575B976E333E403A9502DD5A24BAA81F6A1C342E58176B0D8838525105FCEEF0A9C1C74154866B1A6738509361059278
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,................y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY4t....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY4t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY4t....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY4t...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY5t....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........ik.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:33:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.991092612036337
Encrypted:	false
SSDEEP:	48:8T6bdaLTTAmHwidAKZdA1duT1ehOuTbbiZUk5OjqehOuTbpy+yT+:8T9QuTyTbxWOvTbpy7T
MD5:	B9BF4E828A90AC7797F148078E024FB0
SHA1:	D3AA18A620E77CC78A4E3A47A9F9DDEC351E3DAD
SHA-256:	3B5C3A0BCF8AC1DC0AB69DEAF98FA3EB3B0913335924247FB83B1FD8E7E055B0
SHA-512:	1A9D85E783C8059BEE66E04759E746B442845DECB3E0B4C8C40B658E07B0838E4A83259B6D67A7EBFF83931CC4A1FBDE461D819F29C470C9325050C43840CEED
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,................y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY4t....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY4t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY4t....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY4t...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY5t....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........ik.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 62

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	555
Entropy (8bit):	4.734589619218495
Encrypted:	false
SSDEEP:	12:TjeRHVIdtklI5rvy1INGlTF5TF5TF5TF5TF5TFK:neRH68pTPTPTPTPTPTc
MD5:	7D34D86E35ADE3769B332E032633EBD9
SHA1:	CBD7FB5217C686A8C5CDB8E9C9C71B611B4F526A
SHA-256:	338E171ECD2E7B7B1D89C2BED70F9A33477B1345BE879B35A211925B67476DCF
SHA-512:	73BF84CA367F4221F33294D9C408B97CFC29BDC23843D12EDDDB20D7072A3A0EB0E874E6198E7AD083A65B6F829B6E11F754BB2F6C074EB4D5184F0D7EC34E17
Malicious:	false
Reputation:	low
URL:	https://busb.co.in/favicon.ico
Preview:	<html>..<head><title>404 Not Found</title></head>..<body>..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.24.0</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 16:33:34.348604918 CEST	49671	443	192.168.2.10	204.79.197.203
Oct 2, 2024 16:33:36.239204884 CEST	49674	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:36.239653111 CEST	49675	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:39.161206007 CEST	49671	443	192.168.2.10	204.79.197.203
Oct 2, 2024 16:33:39.217367887 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 16:33:39.520479918 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 16:33:40.208005905 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 16:33:41.410423994 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 16:33:42.708486080 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:42.708520889 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:42.708692074 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:42.708745003 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:42.709028006 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:42.709044933 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:42.709244013 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:42.709254980 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:42.709487915 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:42.709506035 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.676414967 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.676675081 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.676704884 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.677772999 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.678700924 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.679893970 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.680104017 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.680366039 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.680372953 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.680727959 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.680814981 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.680834055 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.681854963 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.682051897 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.683295965 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.683361053 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.722502947 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.722520113 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.739341021 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.739351988 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:43.889398098 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.911031008 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:43.911070108 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 16:33:44.001900911 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:44.002000093 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:44.006757021 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:44.013483047 CEST	49712	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:44.013504028 CEST	443	49712	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:44.107924938 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:44.155394077 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:44.319000959 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:44.319088936 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:44.326678038 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:44.338116884 CEST	49711	443	192.168.2.10	5.45.127.145
Oct 2, 2024 16:33:44.338135004 CEST	443	49711	5.45.127.145	192.168.2.10
Oct 2, 2024 16:33:45.435669899 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:45.435705900 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:45.437767982 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:45.438127995 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:45.438143969 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:45.868818998 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:45.868865013 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:45.869285107 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:45.870814085 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:45.870829105 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:45.965709925 CEST	49674	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:45.965759039 CEST	49675	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:46.093391895 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:46.102359056 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:46.102369070 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:46.103513002 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:46.115398884 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:46.117366076 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:46.211415052 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:46.211570978 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:46.318068027 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:46.318084955 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:46.515728951 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:46.533832073 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:46.534835100 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:46.541543961 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:46.541560888 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:46.541830063 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:46.599406004 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:47.085185051 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:47.127402067 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.270701885 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.270781994 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.270903111 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:47.270935059 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.270972013 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:47.270977974 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.270991087 CEST	49717	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:47.270993948 CEST	443	49717	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.321630001 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:47.321670055 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.321765900 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:47.322042942 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:47.322056055 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.976752043 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:47.981724977 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:48.030405998 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:48.030425072 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:48.030670881 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:48.038127899 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:48.083403111 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:48.258054018 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:48.258146048 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:48.266629934 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:48.324002981 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:48.324037075 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:48.324054003 CEST	49718	443	192.168.2.10	184.28.90.27
Oct 2, 2024 16:33:48.324060917 CEST	443	49718	184.28.90.27	192.168.2.10
Oct 2, 2024 16:33:48.712537050 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 16:33:48.783404112 CEST	49671	443	192.168.2.10	204.79.197.203
Oct 2, 2024 16:33:55.999150991 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:55.999224901 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:55.999325991 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:56.968152046 CEST	49716	443	192.168.2.10	216.58.206.68
Oct 2, 2024 16:33:56.968178034 CEST	443	49716	216.58.206.68	192.168.2.10
Oct 2, 2024 16:33:58.296639919 CEST	49672	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:58.297127962 CEST	49723	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:58.297173977 CEST	443	49723	173.222.162.55	192.168.2.10
Oct 2, 2024 16:33:58.297245026 CEST	49723	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:58.297494888 CEST	49723	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:58.297508001 CEST	443	49723	173.222.162.55	192.168.2.10
Oct 2, 2024 16:33:58.320951939 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 16:33:58.602313995 CEST	49672	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:58.904879093 CEST	443	49723	173.222.162.55	192.168.2.10
Oct 2, 2024 16:33:58.904959917 CEST	49723	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:33:59.211549044 CEST	49672	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:34:00.414737940 CEST	49672	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:34:02.817111969 CEST	49672	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:34:07.629656076 CEST	49672	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:34:11.984946966 CEST	58629	53	192.168.2.10	162.159.36.2
Oct 2, 2024 16:34:11.989845991 CEST	53	58629	162.159.36.2	192.168.2.10
Oct 2, 2024 16:34:11.989912033 CEST	58629	53	192.168.2.10	162.159.36.2
Oct 2, 2024 16:34:11.989964962 CEST	58629	53	192.168.2.10	162.159.36.2
Oct 2, 2024 16:34:11.994837046 CEST	53	58629	162.159.36.2	192.168.2.10
Oct 2, 2024 16:34:12.454658985 CEST	53	58629	162.159.36.2	192.168.2.10
Oct 2, 2024 16:34:12.455502033 CEST	58629	53	192.168.2.10	162.159.36.2
Oct 2, 2024 16:34:12.460983992 CEST	53	58629	162.159.36.2	192.168.2.10
Oct 2, 2024 16:34:12.461033106 CEST	58629	53	192.168.2.10	162.159.36.2
Oct 2, 2024 16:34:17.239078045 CEST	49672	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:34:18.049494982 CEST	443	49723	173.222.162.55	192.168.2.10
Oct 2, 2024 16:34:18.049576998 CEST	49723	443	192.168.2.10	173.222.162.55
Oct 2, 2024 16:34:45.616576910 CEST	58635	443	192.168.2.10	142.250.185.68
Oct 2, 2024 16:34:45.616621017 CEST	443	58635	142.250.185.68	192.168.2.10
Oct 2, 2024 16:34:45.616678953 CEST	58635	443	192.168.2.10	142.250.185.68
Oct 2, 2024 16:34:45.617955923 CEST	58635	443	192.168.2.10	142.250.185.68
Oct 2, 2024 16:34:45.617969036 CEST	443	58635	142.250.185.68	192.168.2.10
Oct 2, 2024 16:34:46.270572901 CEST	443	58635	142.250.185.68	192.168.2.10
Oct 2, 2024 16:34:46.270912886 CEST	58635	443	192.168.2.10	142.250.185.68
Oct 2, 2024 16:34:46.270927906 CEST	443	58635	142.250.185.68	192.168.2.10
Oct 2, 2024 16:34:46.271250963 CEST	443	58635	142.250.185.68	192.168.2.10
Oct 2, 2024 16:34:46.272245884 CEST	58635	443	192.168.2.10	142.250.185.68
Oct 2, 2024 16:34:46.274538040 CEST	443	58635	142.250.185.68	192.168.2.10
Oct 2, 2024 16:34:46.314575911 CEST	58635	443	192.168.2.10	142.250.185.68
Oct 2, 2024 16:34:56.190440893 CEST	443	58635	142.250.185.68	192.168.2.10
Oct 2, 2024 16:34:56.190601110 CEST	443	58635	142.250.185.68	192.168.2.10
Oct 2, 2024 16:34:56.190668106 CEST	58635	443	192.168.2.10	142.250.185.68
Oct 2, 2024 16:34:56.960707903 CEST	58635	443	192.168.2.10	142.250.185.68
Oct 2, 2024 16:34:56.960755110 CEST	443	58635	142.250.185.68	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 16:33:40.682058096 CEST	53	65433	1.1.1.1	192.168.2.10
Oct 2, 2024 16:33:40.776303053 CEST	53	50614	1.1.1.1	192.168.2.10
Oct 2, 2024 16:33:42.027368069 CEST	53	57931	1.1.1.1	192.168.2.10
Oct 2, 2024 16:33:42.694264889 CEST	60305	53	192.168.2.10	1.1.1.1
Oct 2, 2024 16:33:42.694464922 CEST	60006	53	192.168.2.10	1.1.1.1
Oct 2, 2024 16:33:42.705782890 CEST	53	60305	1.1.1.1	192.168.2.10
Oct 2, 2024 16:33:42.705878019 CEST	53	60006	1.1.1.1	192.168.2.10
Oct 2, 2024 16:33:45.155900002 CEST	62566	53	192.168.2.10	1.1.1.1
Oct 2, 2024 16:33:45.156194925 CEST	58407	53	192.168.2.10	1.1.1.1
Oct 2, 2024 16:33:45.372687101 CEST	53	58407	1.1.1.1	192.168.2.10
Oct 2, 2024 16:33:45.372697115 CEST	53	62566	1.1.1.1	192.168.2.10
Oct 2, 2024 16:33:58.969968081 CEST	53	61443	1.1.1.1	192.168.2.10
Oct 2, 2024 16:34:11.983042002 CEST	53	53929	162.159.36.2	192.168.2.10
Oct 2, 2024 16:34:12.470930099 CEST	60267	53	192.168.2.10	1.1.1.1
Oct 2, 2024 16:34:12.479500055 CEST	53	60267	1.1.1.1	192.168.2.10
Oct 2, 2024 16:34:37.183041096 CEST	138	138	192.168.2.10	192.168.2.255
Oct 2, 2024 16:34:45.604412079 CEST	64643	53	192.168.2.10	1.1.1.1
Oct 2, 2024 16:34:45.613457918 CEST	53	64643	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 16:33:42.694264889 CEST	192.168.2.10	1.1.1.1	0x3ab3	Standard query (0)	busb.co.in	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:33:42.694464922 CEST	192.168.2.10	1.1.1.1	0xa53	Standard query (0)	busb.co.in	65	IN (0x0001)	false
Oct 2, 2024 16:33:45.155900002 CEST	192.168.2.10	1.1.1.1	0x527d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:33:45.156194925 CEST	192.168.2.10	1.1.1.1	0x741b	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 16:34:12.470930099 CEST	192.168.2.10	1.1.1.1	0x4d1c	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 2, 2024 16:34:45.604412079 CEST	192.168.2.10	1.1.1.1	0x8496	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 16:33:42.705782890 CEST	1.1.1.1	192.168.2.10	0x3ab3	No error (0)	busb.co.in		5.45.127.145	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:33:45.372687101 CEST	1.1.1.1	192.168.2.10	0x741b	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 16:33:45.372697115 CEST	1.1.1.1	192.168.2.10	0x527d	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:33:55.759484053 CEST	1.1.1.1	192.168.2.10	0xb0ff	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 16:33:55.759484053 CEST	1.1.1.1	192.168.2.10	0xb0ff	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.34	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:33:55.759484053 CEST	1.1.1.1	192.168.2.10	0xb0ff	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.18	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:34:12.479500055 CEST	1.1.1.1	192.168.2.10	0x4d1c	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 2, 2024 16:34:45.613457918 CEST	1.1.1.1	192.168.2.10	0x8496	No error (0)	www.google.com		142.250.185.68	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

busb.co.in

https:

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49712	5.45.127.145	443	6544	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 14:33:43 UTC	1032	OUT	GET /oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f HTTP/1.1 Host: busb.co.in Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 14:33:43 UTC	210	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Wed, 02 Oct 2024 14:33:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Strict-Transport-Security: max-age=31536000
2024-10-02 14:33:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49711	5.45.127.145	443	6544	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 14:33:44 UTC	955	OUT	GET /favicon.ico HTTP/1.1 Host: busb.co.in Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 14:33:44 UTC	150	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Wed, 02 Oct 2024 14:33:44 GMT Content-Type: text/html Content-Length: 555 Connection: close
2024-10-02 14:33:44 UTC	555	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49717	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 14:33:47 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 14:33:47 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=94323 Date: Wed, 02 Oct 2024 14:33:47 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49718	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 14:33:48 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 14:33:48 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=94266 Date: Wed, 02 Oct 2024 14:33:48 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 14:33:48 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 6600, Parent PID: 3716

General

Target ID:	0
Start time:	10:33:35
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6544, Parent PID: 6600

General

Target ID:	4
Start time:	10:33:38
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=2052,i,10686121232569316346,15910571144518359988,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 1244, Parent PID: 3716

General

Target ID:	10
Start time:	10:33:41
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://busb.co.in/oldmega/z/?clickid=b888eq57sa17s0685&t1=november-his-vyyqe24dy4&t2=gamboge-scorpion&t3=the,and,for,wrexham,pub,been,horse,have,who,changes,with,new,its,you,about,and%C2%A0jockey,has,get,street,centre,city,jockey,completely,contact,wrexham:,reopens,after,refurbishment,lea&lpkey=17b827a280f5452268&uclick=q57sa17s0&uclickhash=q57sa17s0-q57sa17s0-7si4-dv0-2tg5-fnsy8n-fnsywj-b5de8f"
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 62

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6600, Parent PID: 3716

General

Chronological Activities

Analysis Process: chrome.exePID: 6544, Parent PID: 6600

General

Chronological Activities

Analysis Process: chrome.exePID: 1244, Parent PID: 3716

General

Chronological Activities

Disassembly