Edit tour

Windows Analysis Report
https://docsend.com/view/ws65kkaar2fwghua

Overview

General Information

Sample URL:	https://docsend.com/view/ws65kkaar2fwghua
Analysis ID:	1525118
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected suspicious crossdomain redirect

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5336 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1952,i,742254302403329463,5183052963729679332,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 3652 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://docsend.com/view/ws65kkaar2fwghua" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://docsend.com/view/ws65kkaar2fwghua

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49712 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: docsend.com to https://captainsquarterscigars.com/n/?c3y9bzm2nv8xx25vbszyyw5kpvzitlrimws9jnvpzd1vu0vsmzawotiwmjrvntkwotmwmte=n0123n[randy.hibberd@cityofweiser.net]

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	UDP traffic detected without corresponding DNS query: 20.101.57.9
Source: unknown	UDP traffic detected without corresponding DNS query: 20.101.57.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /view/ws65kkaar2fwghua HTTP/1.1Host: docsend.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZITlRiMWs9JnVpZD1VU0VSMzAwOTIwMjRVNTkwOTMwMTE=N0123N[randy.hibberd@cityofweiser.net] HTTP/1.1Host: captainsquarterscigars.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: captainsquarterscigars.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://captainsquarterscigars.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZITlRiMWs9JnVpZD1VU0VSMzAwOTIwMjRVNTkwOTMwMTE=N0123N[randy.hibberd@cityofweiser.net]Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: captainsquarterscigars.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: docsend.com
Source: global traffic	DNS traffic detected: DNS query: captainsquarterscigars.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49712 version: TLS 1.2

Source: classification engine

Classification label: mal48.win@17/2@8/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1952,i,742254302403329463,5183052963729679332,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://docsend.com/view/ws65kkaar2fwghua"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1952,i,742254302403329463,5183052963729679332,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://docsend.com/view/ws65kkaar2fwghua	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
captainsquarterscigars.com	192.185.91.220	true	false	unknown
www.google.com	216.58.206.36	true	false	unknown
docsend.com	18.173.205.86	true	false	unknown
windowsupdatebg.s.llnwi.net	87.248.205.0	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://captainsquarterscigars.com/favicon.ico	false	unknown
https://docsend.com/view/ws65kkaar2fwghua	true	unknown
https://captainsquarterscigars.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZITlRiMWs9JnVpZD1VU0VSMzAwOTIwMjRVNTkwOTMwMTE=N0123N[randy.hibberd@cityofweiser.net]	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
192.185.91.220	captainsquarterscigars.com	United States	46606	UNIFIEDLAYER-AS-1US	false
18.173.205.86	docsend.com	United States	3	MIT-GATEWAYSUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525118
Start date and time:	2024-10-03 17:55:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://docsend.com/view/ws65kkaar2fwghua
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@17/2@8/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.163, 142.250.181.238, 142.251.168.84, 34.104.35.123, 20.114.59.183, 2.19.126.163, 2.19.126.137, 20.3.187.198, 20.242.39.171, 216.58.206.35, 93.184.221.240
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, update.googleapis.com, hlb.apr-52dd2-0.edgecastdns.net, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://docsend.com/view/ws65kkaar2fwghua

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 41

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	very short file (no magic)
Category:	downloaded
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:v:v
MD5:	68B329DA9893E34099C7D8AD5CB9C940
SHA1:	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
SHA-256:	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
SHA-512:	BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
Malicious:	false
Reputation:	low
URL:	https://captainsquarterscigars.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZITlRiMWs9JnVpZD1VU0VSMzAwOTIwMjRVNTkwOTMwMTE=N0123N[randy.hibberd@cityofweiser.net]
Preview:	.

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 17:56:02.844404936 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 3, 2024 17:56:06.078576088 CEST	49674	443	192.168.2.7	104.98.116.138
Oct 3, 2024 17:56:06.078691006 CEST	49675	443	192.168.2.7	104.98.116.138
Oct 3, 2024 17:56:06.234822035 CEST	49672	443	192.168.2.7	104.98.116.138
Oct 3, 2024 17:56:06.860599995 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 3, 2024 17:56:07.238667965 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 3, 2024 17:56:07.656830072 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 3, 2024 17:56:07.984927893 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 3, 2024 17:56:09.484833002 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 3, 2024 17:56:12.643416882 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 3, 2024 17:56:15.736264944 CEST	49674	443	192.168.2.7	104.98.116.138
Oct 3, 2024 17:56:15.736283064 CEST	49675	443	192.168.2.7	104.98.116.138
Oct 3, 2024 17:56:15.976345062 CEST	49672	443	192.168.2.7	104.98.116.138
Oct 3, 2024 17:56:16.166527033 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:16.166565895 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:16.166874886 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:16.167015076 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:16.167030096 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:16.167074919 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:16.167543888 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:16.167563915 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:16.167732000 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:16.167747021 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:16.930545092 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:16.935736895 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:16.972691059 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.010509968 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.010525942 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.010911942 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.010925055 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.012667894 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.012690067 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.012761116 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.014523983 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.014617920 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.106021881 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.106163025 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.139398098 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.139559984 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.140145063 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.140172958 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.189196110 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.189213037 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.237204075 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.281264067 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.281270981 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 3, 2024 17:56:17.574104071 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.574125051 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.574161053 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.574203968 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.574217081 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.574243069 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.574243069 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.574284077 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.670211077 CEST	49706	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:17.670238972 CEST	443	49706	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:17.912798882 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:17.912844896 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:17.912996054 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:17.913554907 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:17.913569927 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:18.005017996 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:18.005069971 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:18.005222082 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:18.005949020 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:18.005963087 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:18.267905951 CEST	443	49698	104.98.116.138	192.168.2.7
Oct 3, 2024 17:56:18.268104076 CEST	49698	443	192.168.2.7	104.98.116.138
Oct 3, 2024 17:56:18.603260994 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 3, 2024 17:56:18.643800020 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:18.643826962 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:18.643902063 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:18.645473957 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:18.645490885 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:18.647784948 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:18.648037910 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:18.648061991 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:18.649049044 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:18.649113894 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:18.652883053 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:18.653081894 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:18.653105974 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:18.654520035 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:18.654728889 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:18.664220095 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:18.664294004 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:18.665688992 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:18.665935040 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:18.665944099 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:18.666002035 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:18.713809967 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:18.713828087 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:18.758126020 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:18.773840904 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:18.773869991 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:18.874988079 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:19.267441034 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:19.269258976 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:19.269392014 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:19.318742037 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:19.318835974 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:19.371014118 CEST	49708	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:19.371042013 CEST	443	49708	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:19.459805965 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:19.459850073 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:19.460299969 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:19.479538918 CEST	49711	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:19.479585886 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:19.479651928 CEST	49711	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:19.480551004 CEST	49711	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:19.480562925 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:19.570031881 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:19.791450977 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:19.839400053 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:19.993366957 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:19.994513035 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:19.994786024 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:19.994853020 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.003668070 CEST	49711	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:20.003685951 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.004216909 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.004688025 CEST	49711	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:20.004782915 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.004915953 CEST	49711	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:20.018143892 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.018184900 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:20.018250942 CEST	49710	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.018269062 CEST	443	49710	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:20.051402092 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.140292883 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.140490055 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.140543938 CEST	49711	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:20.142692089 CEST	49711	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:20.142719030 CEST	443	49711	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.182230949 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.182275057 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:20.182349920 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.182828903 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.182847023 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:20.822550058 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:20.822752953 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.835395098 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:20.835444927 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.835895061 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:20.839396954 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:20.839425087 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:20.849752903 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.849776030 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:20.850164890 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:20.851788044 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:20.899406910 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:21.104698896 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:21.104878902 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:21.105921030 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:21.106930017 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:21.106945038 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:21.107104063 CEST	49712	443	192.168.2.7	184.28.90.27
Oct 3, 2024 17:56:21.107109070 CEST	443	49712	184.28.90.27	192.168.2.7
Oct 3, 2024 17:56:21.362850904 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:21.385802984 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:21.385823965 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:21.389935017 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:21.390413046 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:21.391204119 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:21.391204119 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:21.391371012 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:21.438960075 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:21.438971996 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:21.485872030 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:21.531722069 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:21.531862020 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:21.531940937 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:21.576209068 CEST	49713	443	192.168.2.7	192.185.91.220
Oct 3, 2024 17:56:21.576246977 CEST	443	49713	192.185.91.220	192.168.2.7
Oct 3, 2024 17:56:28.575491905 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:28.575654984 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:28.575722933 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:29.628144979 CEST	49709	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:56:29.628195047 CEST	443	49709	216.58.206.36	192.168.2.7
Oct 3, 2024 17:56:30.516653061 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 3, 2024 17:56:46.734184980 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:46.734302044 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:56:46.734400988 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:47.726562977 CEST	49705	443	192.168.2.7	18.173.205.86
Oct 3, 2024 17:56:47.726582050 CEST	443	49705	18.173.205.86	192.168.2.7
Oct 3, 2024 17:57:18.151474953 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:18.151530981 CEST	443	49720	216.58.206.36	192.168.2.7
Oct 3, 2024 17:57:18.151848078 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:18.152362108 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:18.152374983 CEST	443	49720	216.58.206.36	192.168.2.7
Oct 3, 2024 17:57:19.778455973 CEST	443	49720	216.58.206.36	192.168.2.7
Oct 3, 2024 17:57:19.782104015 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:19.782133102 CEST	443	49720	216.58.206.36	192.168.2.7
Oct 3, 2024 17:57:19.782601118 CEST	443	49720	216.58.206.36	192.168.2.7
Oct 3, 2024 17:57:19.831485987 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:19.855479956 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:19.855711937 CEST	443	49720	216.58.206.36	192.168.2.7
Oct 3, 2024 17:57:19.918123960 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:29.699786901 CEST	443	49720	216.58.206.36	192.168.2.7
Oct 3, 2024 17:57:29.699939966 CEST	443	49720	216.58.206.36	192.168.2.7
Oct 3, 2024 17:57:29.700222969 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:31.630598068 CEST	49720	443	192.168.2.7	216.58.206.36
Oct 3, 2024 17:57:31.630646944 CEST	443	49720	216.58.206.36	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 17:56:12.939120054 CEST	123	123	192.168.2.7	20.101.57.9
Oct 3, 2024 17:56:13.319478989 CEST	53	63012	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:13.358968973 CEST	53	53154	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:13.470592976 CEST	123	123	20.101.57.9	192.168.2.7
Oct 3, 2024 17:56:14.452544928 CEST	53	55102	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:14.573259115 CEST	123	123	192.168.2.7	20.101.57.9
Oct 3, 2024 17:56:14.751348019 CEST	123	123	20.101.57.9	192.168.2.7
Oct 3, 2024 17:56:16.126985073 CEST	49789	53	192.168.2.7	1.1.1.1
Oct 3, 2024 17:56:16.127422094 CEST	52966	53	192.168.2.7	1.1.1.1
Oct 3, 2024 17:56:16.134304047 CEST	53	49789	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:16.151946068 CEST	53	52966	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:17.758085012 CEST	61184	53	192.168.2.7	1.1.1.1
Oct 3, 2024 17:56:17.758516073 CEST	50433	53	192.168.2.7	1.1.1.1
Oct 3, 2024 17:56:17.871474028 CEST	53	61184	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:17.972990036 CEST	63387	53	192.168.2.7	1.1.1.1
Oct 3, 2024 17:56:17.973315954 CEST	64984	53	192.168.2.7	1.1.1.1
Oct 3, 2024 17:56:18.001168013 CEST	53	50433	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:18.001187086 CEST	53	63387	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:18.001199961 CEST	53	64984	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:20.597898006 CEST	51596	53	192.168.2.7	1.1.1.1
Oct 3, 2024 17:56:20.599395990 CEST	61931	53	192.168.2.7	1.1.1.1
Oct 3, 2024 17:56:20.810925007 CEST	53	51596	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:20.816459894 CEST	53	61931	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:31.460161924 CEST	53	52776	1.1.1.1	192.168.2.7
Oct 3, 2024 17:56:50.587888002 CEST	53	53583	1.1.1.1	192.168.2.7
Oct 3, 2024 17:57:07.370134115 CEST	138	138	192.168.2.7	192.168.2.255
Oct 3, 2024 17:57:13.352807045 CEST	53	54129	1.1.1.1	192.168.2.7
Oct 3, 2024 17:57:13.511054039 CEST	53	60911	1.1.1.1	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 3, 2024 17:56:18.001292944 CEST	192.168.2.7	1.1.1.1	c23c	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 17:56:16.126985073 CEST	192.168.2.7	1.1.1.1	0x6690	Standard query (0)	docsend.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:16.127422094 CEST	192.168.2.7	1.1.1.1	0x95f8	Standard query (0)	docsend.com	65	IN (0x0001)	false
Oct 3, 2024 17:56:17.758085012 CEST	192.168.2.7	1.1.1.1	0xebaa	Standard query (0)	captainsquarterscigars.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:17.758516073 CEST	192.168.2.7	1.1.1.1	0x9567	Standard query (0)	captainsquarterscigars.com	65	IN (0x0001)	false
Oct 3, 2024 17:56:17.972990036 CEST	192.168.2.7	1.1.1.1	0xe659	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:17.973315954 CEST	192.168.2.7	1.1.1.1	0x12b2	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 3, 2024 17:56:20.597898006 CEST	192.168.2.7	1.1.1.1	0xcead	Standard query (0)	captainsquarterscigars.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:20.599395990 CEST	192.168.2.7	1.1.1.1	0xac73	Standard query (0)	captainsquarterscigars.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 17:56:16.134304047 CEST	1.1.1.1	192.168.2.7	0x6690	No error (0)	docsend.com	18.173.205.86	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:16.134304047 CEST	1.1.1.1	192.168.2.7	0x6690	No error (0)	docsend.com	18.173.205.62	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:16.134304047 CEST	1.1.1.1	192.168.2.7	0x6690	No error (0)	docsend.com	18.173.205.125	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:16.134304047 CEST	1.1.1.1	192.168.2.7	0x6690	No error (0)	docsend.com	18.173.205.79	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:17.871474028 CEST	1.1.1.1	192.168.2.7	0xebaa	No error (0)	captainsquarterscigars.com	192.185.91.220	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:18.001187086 CEST	1.1.1.1	192.168.2.7	0xe659	No error (0)	www.google.com	216.58.206.36	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:18.001199961 CEST	1.1.1.1	192.168.2.7	0x12b2	No error (0)	www.google.com		65	IN (0x0001)	false
Oct 3, 2024 17:56:20.810925007 CEST	1.1.1.1	192.168.2.7	0xcead	No error (0)	captainsquarterscigars.com	192.185.91.220	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:39.540290117 CEST	1.1.1.1	192.168.2.7	0x4dc4	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:56:39.540290117 CEST	1.1.1.1	192.168.2.7	0x4dc4	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 17:57:05.681946993 CEST	1.1.1.1	192.168.2.7	0x4fe	No error (0)	windowsupdatebg.s.llnwi.net	87.248.205.0	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docsend.com

captainsquarterscigars.com

https:

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49706	18.173.205.86	443	4312	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 15:56:17 UTC	675	OUT	GET /view/ws65kkaar2fwghua HTTP/1.1 Host: docsend.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 15:56:17 UTC	5892	IN	HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: Cowboy Date: Thu, 03 Oct 2024 15:56:16 GMT Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1727970977&sid=af571f24-03ee-46d1-9f90-ab9030c2c74c&s=xHRigrvbfeexXw7FdEYq12ISQZB03pyoU0%2B8m3MdapQ%3D"}]} Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1727970977&sid=af571f24-03ee-46d1-9f90-ab9030c2c74c&s=xHRigrvbfeexXw7FdEYq12ISQZB03pyoU0%2B8m3MdapQ%3D Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]} Via: 1.1 vegur, 1.1 f41688bac877227b82b3347b2428d266.cloudfront.net (CloudFront) X-Frame-Options: DENY X-Content-Type-Options: nosniff Location: https://captainsquarterscigars.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZITlRiMWs9JnVpZD1VU0VSMzAwOTIwMjRVNTkwOTMwMTE=N0123N[randy.hibberd@cityofweiser.net] Cache-Control: no-cache Content-Security-Policy: connect-src 'self' blob: https://assets.docsend.com https://d1ng9lshxk6v9w.cloudfront.net https://.previews.dropboxusercontent.com//p.m3u8 https://.dropboxusercontent.com https://api.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://nexus-long-poller-a.intercom.io https://nexus-long-poller-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://.intercomcdn.com https://uploads.intercomusercontent.com https://sessions.bugsnag.com https://notify.bugsnag.com https://featuregates.org https://events.statsigapi.net https://browser-intake-datadoghq.com https://browser-intake-us3-datadoghq.com https://browser-intake-us5-datadoghq.com https://.kissmetrics.com https://.kissmetrics.io https://api.segment.io https://cdn.segment.com https://events.statsigapi.net/v1/rgstr https://statsigapi.net/v1/sdk_exception https://*.id.opendns.com https://www.googl [TRUNCATED] Set-Cookie: _v_=6OutfPXssqzn%2BEjsUFuVgUk2JNgpS%2BjY49BZCKgR6Vz%2FT%2FH62EKYhIleLIXV2o4mvDN%2F%2B59KGkwSJORqB2c9ozZYpUpPvc2GqhT5RJmX8wMZB9oiyg%3D%3D--jKsIuuAQSbFZSrRa--Hwwpls1tCspvYv9U7Yf%2FyA%3D%3D; domain=.docsend.com; path=/; expires=Fri, 03 Oct 2025 15:56:17 GMT; SameSite=None; secure Set-Cookie: _us_=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaEpJZzkyYVdWM1pXUWdaRzlqQmpvR1JWUT0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS5fdXNfIn19--0a19c6dc51d459746e8b01d901655a78795a6225; domain=.docsend.com; path=/; expires=Mon, 03 Oct 2044 15:56:17 GMT; SameSite=None; secure Set-Cookie: _dss_=434ab01d589bbceb9d0de169d24151d3; domain=.docsend.com; path=/; secure; HttpOnly; SameSite=None X-Request-Id: 6aea4bf0-2491-4255-bea6-821c21730134 X-Runtime: 0.101780 Vary: Accept-Encoding, Origin Strict-Transport-Security: max-age=31556952; includeSubDomains; preload X-Cache: Miss from cloudfront X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: 8mj4XvMAYdKsfm029_GcPJf2lJU-wdgHO-qCDQm4-c2tv2kqei6TnQ==
2024-10-03 15:56:17 UTC	220	IN	Data Raw: 64 36 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 61 70 74 61 69 6e 73 71 75 61 72 74 65 72 73 63 69 67 61 72 73 2e 63 6f 6d 2f 6e 2f 3f 63 33 59 39 62 7a 4d 32 4e 56 38 78 58 32 35 76 62 53 5a 79 59 57 35 6b 50 56 5a 49 54 6c 52 69 4d 57 73 39 4a 6e 56 70 5a 44 31 56 55 30 56 53 4d 7a 41 77 4f 54 49 77 4d 6a 52 56 4e 54 6b 77 4f 54 4d 77 4d 54 45 3d 4e 30 31 32 33 4e 5b 72 61 6e 64 79 2e 68 69 62 62 65 72 64 40 63 69 74 79 6f 66 77 65 69 73 65 72 2e 6e 65 74 5d 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d6<html><body>You are being <a href="https://captainsquarterscigars.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZITlRiMWs9JnVpZD1VU0VSMzAwOTIwMjRVNTkwOTMwMTE=N0123N[randy.hibberd@cityofweiser.net]">redirected</a>.</body></html>
2024-10-03 15:56:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49708	192.185.91.220	443	4312	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 15:56:18 UTC	782	OUT	GET /n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZITlRiMWs9JnVpZD1VU0VSMzAwOTIwMjRVNTkwOTMwMTE=N0123N[randy.hibberd@cityofweiser.net] HTTP/1.1 Host: captainsquarterscigars.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 15:56:19 UTC	208	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 15:56:18 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2024-10-03 15:56:19 UTC	11	IN	Data Raw: 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49710	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-03 15:56:19 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-03 15:56:19 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25936 Date: Thu, 03 Oct 2024 15:56:19 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49711	192.185.91.220	443	4312	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 15:56:20 UTC	721	OUT	GET /favicon.ico HTTP/1.1 Host: captainsquarterscigars.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://captainsquarterscigars.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZITlRiMWs9JnVpZD1VU0VSMzAwOTIwMjRVNTkwOTMwMTE=N0123N[randy.hibberd@cityofweiser.net] Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 15:56:20 UTC	176	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 15:56:20 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49712	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-03 15:56:20 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-03 15:56:21 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25951 Date: Thu, 03 Oct 2024 15:56:21 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-03 15:56:21 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49713	192.185.91.220	443	4312	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 15:56:21 UTC	361	OUT	GET /favicon.ico HTTP/1.1 Host: captainsquarterscigars.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 15:56:21 UTC	176	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 15:56:21 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Content-Length: 0 Content-Type: text/html; charset=UTF-8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5336, Parent PID: 5796

General

Target ID:	2
Start time:	11:56:06
Start date:	03/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4312, Parent PID: 5336

General

Target ID:	6
Start time:	11:56:12
Start date:	03/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1952,i,742254302403329463,5183052963729679332,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3652, Parent PID: 5796

General

Target ID:	10
Start time:	11:56:15
Start date:	03/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://docsend.com/view/ws65kkaar2fwghua"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://docsend.com/view/ws65kkaar2fwghua

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 41

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5336, Parent PID: 5796

General

Chronological Activities

Analysis Process: chrome.exePID: 4312, Parent PID: 5336

General

Chronological Activities

Analysis Process: chrome.exePID: 3652, Parent PID: 5796

General

Chronological Activities

Disassembly

Windows Analysis Report
https://docsend.com/view/ws65kkaar2fwghua