Edit tour

Windows Analysis Report
https://fonts.googleapis.com/css?family=Roboto:300,400,500,700

Overview

General Information

Sample URL:	https://fonts.googleapis.com/css?family=Roboto:300,400,500,700
Analysis ID:	1528456
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected non-DNS traffic on DNS port

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 5856 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6812 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1908,i,7098217179838175974,773093615988550590,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6436 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://fonts.googleapis.com/css?family=Roboto:300,400,500,700" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://fonts.googleapis.com/css?family=Roboto:300,400,500,700

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:62706 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.16:62704 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1v7ztRNLeKDkuB2&MD=tprgWTV8 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1v7ztRNLeKDkuB2&MD=tprgWTV8 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmEU9fABc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmEU9fBBc4.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmEU9fBxc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmEU9fCBc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmEU9fCRc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmEU9fChc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmEU9fCxc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fABc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fBBc4.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fBxc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fCBc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fCRc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fChc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fCxc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmWUlfABc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmWUlfBBc4.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmWUlfBxc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmWUlfCBc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmWUlfCRc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmWUlfCxc4EsA.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOmCnqEu92Fr1Mu4WxKOzY.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOmCnqEu92Fr1Mu4mxK.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOmCnqEu92Fr1Mu5mxKOzY.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOmCnqEu92Fr1Mu72xKOzY.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOmCnqEu92Fr1Mu7GxKOzY.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOmCnqEu92Fr1Mu7WxKOzY.woff2)
Source: chromecache_120.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v32/KFOmCnqEu92Fr1Mu7mxKOzY.woff2)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 62708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:62706 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@22/8@2/3

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1908,i,7098217179838175974,773093615988550590,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://fonts.googleapis.com/css?family=Roboto:300,400,500,700"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1908,i,7098217179838175974,773093615988550590,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	216.58.206.36	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
216.58.206.36	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528456
Start date and time:	2024-10-07 22:55:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://fonts.googleapis.com/css?family=Roboto:300,400,500,700
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@22/8@2/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 74.125.133.84, 142.250.184.238, 216.58.206.42, 34.104.35.123, 142.250.185.163, 93.184.221.240, 172.217.23.99, 216.58.206.78
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://fonts.googleapis.com/css?family=Roboto:300,400,500,700

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: https://fonts.googleapis.com/css?family=Roboto:300,400,500,700 Model: jbxai	{ "brand":["Globi"], "contains_trigger_text":true, "trigger_text":"Click here to view document", "prominent_button_name":"unknown", "text_input_field_labels":"unknown", "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "text":"The provided webpage is a landing page for Globi, a company that offers document sharing and viewing services. The page contains trigger text such as 'Click here to view document' and has a prominent button labeled 'View Document.' However, there are no visible input fields, PDF icons, CAPTCHAs, or urgent text on the page.", "has_visible_qrcode":false}

Input

Output

URL: https://fonts.googleapis.com/css?family=Roboto:300,400,500,700 Model: jbxai

{
"brand":["Globi"],
"contains_trigger_text":true,
"trigger_text":"Click here to view document",
"prominent_button_name":"unknown",
"text_input_field_labels":"unknown",
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"text":"The provided webpage is a landing page for Globi,
 a company that offers document sharing and viewing services. The page contains trigger text such as 'Click here to view document' and has a prominent button labeled 'View Document.' However,
 there are no visible input fields,
 PDF icons,
 CAPTCHAs,
 or urgent text on the page.",
"has_visible_qrcode":false}

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 19:55:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.987660319025838
Encrypted:	false
SSDEEP:	48:8bgdrTzLLHxidAKZdA1FehwiZUklqehGy+3:807vty
MD5:	F30E82CA1A862627DB681DE2DE74E858
SHA1:	27AC53FA2773EFCD7D52135913AE75C449953160
SHA-256:	CDB5610AB13F259F7ADF26822DDF7F8BF4DF058FBD3A13B7FB5B2EA8BC062505
SHA-512:	C0766BFFD0ACBCAC30BE6F4EC27AAA9CAC69E6BD82D723BB8B9E584EBD0AE1FE0B086EB50308D9E96249977345D19C53E9B8DF85B48038CF272BCDC778BF0A89
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......8M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IGY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VGY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VGY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VGY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VGY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........AK.\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 19:55:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.003528535172049
Encrypted:	false
SSDEEP:	48:8ydrTzLLHxidAKZdA1seh/iZUkAQkqehdy+2:8e7Z9Qgy
MD5:	11647A94EF927AE3B1B87B8B5396060D
SHA1:	58C0B0B434F1E5950CB41275C47B025ECDB24B5F
SHA-256:	72EF6FC491485B21A1D0A6A2440DAA9310043F4E221F386897FA76DFE08F6F4E
SHA-512:	B130B121508D382EDE554DAE010D0AE302D4BF6889F8419481782237E38B535CA51B88D5C5F596A35EDBF606764F7FCC0F95DAF396013771F621AB8E6067872F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......,M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IGY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VGY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VGY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VGY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VGY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........AK.\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.011195911044588
Encrypted:	false
SSDEEP:	48:80drTzLAHxidAKZdA14meh7sFiZUkmgqeh7sXy+BX:8E7cnJy
MD5:	27CE79C84CE997F7076549F969E694E0
SHA1:	C62CFBDCE8D4FC0D6326AD9C135DC6F1D1445544
SHA-256:	1CA2BF343AD61ACFB4EFB7F80DB68C101A538620B68D08C8AB498FD298FCAA64
SHA-512:	5D2CD41DC0B0667CD7F1FE2B439CF55B1150CB9CEAC2CE7D57F4B461BE3C2321D34A09E7760C68CFDBB24411683FA117AA795DF9F1F30F12A209B85B38F6DFE7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IGY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VGY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VGY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VGY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........AK.\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 19:55:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.00037253712535
Encrypted:	false
SSDEEP:	48:8RdrTzLLHxidAKZdA1TehDiZUkwqehhy+R:8f7KPy
MD5:	24CF823F47703B014A603C387FD1FDB9
SHA1:	05BD623C282CF3C374AC77B0FA1E7D90C3AB1F02
SHA-256:	71F07DE567CF71027659571EF700FCA4A7E33245368974DCEF3C43FA62791BB2
SHA-512:	02A3B84D246AFDFA684301196E10B69CC09B5AEA8F21EE22E1F60BD81971ED1841DC34057238EFE0D968B1A75EE251347B90230BBA656B8FB955440BE971F72F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....M.%M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IGY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VGY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VGY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VGY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VGY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........AK.\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 19:55:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.989824452626601
Encrypted:	false
SSDEEP:	48:8IqdrTzLLHxidAKZdA1dehBiZUk1W1qehzy+C:8J7K9Ty
MD5:	A3FA0A6F30EAA79A793B51B4D152DCF2
SHA1:	DDE885755AEE4A49F4E42EC82510A2B22AC56D61
SHA-256:	7AB1F9662F907339E69F27854713EDA72188DAF04B4CA3EA6A61D0D0F5FDC82F
SHA-512:	DADAA4B09D2F349B0FD96F40EEC031BAF337D505A6F52C9B2C603DBCAE7A3A3863DA6D41AC163044B0C8F85E31D45B8DEC8169D68BD3DBB88E6B73AD00FEAA34
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......2M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IGY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VGY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VGY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VGY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VGY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........AK.\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 19:55:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9993594718172445
Encrypted:	false
SSDEEP:	48:80drTzLLHxidAKZdA1duTeehOuTbbiZUk5OjqehOuTbJy+yT+:8E7ATfTbxWOvTbJy7T
MD5:	75C783376AB2091D4C4D078C141E59A4
SHA1:	18ED1D20494348FB55604367DC99A53A888671BD
SHA-256:	E6E6EBC60EE314B826D24FC21A9390FB63894A74712FF16D960253EF2CB80648
SHA-512:	BB77D71A47D1533BE80CCE63A60B83AE5BC8C99A7EB3E9C8A8D7F3F4D18C5729A7DE7FD5005F0801CFDC77428A8E812814B08D68C88D60F1FF459441F46A1EA7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....;..M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IGY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VGY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VGY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VGY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VGY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........AK.\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 120

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	8732
Entropy (8bit):	5.394992540059779
Encrypted:	false
SSDEEP:	192:pNY5N+NRNY3qNkN+XNWNPQNNNiNk3XNPN8qNYrNm7NCNRNS3sNEN8NNtNF1NHNU/:vYfUH2QiScPeD4CdFFwmBYHAaCijF7tS
MD5:	491071B193CBF66E4DC49AA6557107CB
SHA1:	BC94B425EB19BB3E858540767782B3A55BBE2DF8
SHA-256:	4DD49D1F89345B2F261EE71D4CE0020EC9ABCEECF6048B443F3BC4D6386C546F
SHA-512:	290733E1E1D07CB4AB72BFA051539679915EC2A33D38866E2E20AE7722A1471EF3E44EADD84EBCABFCCF2E631B6356ED7F44CD42FBA592D73474A464EAE4B123
Malicious:	false
Reputation:	low
URL:	"https://fonts.googleapis.com/css?family=Roboto:300,400,500,700"
Preview:	/* cyrillic-ext /.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 300;. src: url(https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fCRc4EsA.woff2) format('woff2');. unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;.}./ cyrillic /.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 300;. src: url(https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fABc4EsA.woff2) format('woff2');. unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;.}./ greek-ext /.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 300;. src: url(https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fCBc4EsA.woff2) format('woff2');. unicode-range: U+1F00-1FFF;.}./ greek */.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 300;. src: url(https://fonts.gstatic.com/s/roboto/v32/KFOlCnqEu92Fr1MmSU5fBxc4EsA.woff2) format('woff2');. unicode-ra

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:55:55.417076111 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 7, 2024 22:55:55.731101990 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 7, 2024 22:55:56.332901001 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 7, 2024 22:55:57.539047003 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 7, 2024 22:55:58.471527100 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:55:58.471617937 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:55:58.471705914 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:55:58.472028971 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:55:58.472064018 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:55:59.089550972 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:55:59.089910984 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:55:59.089942932 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:55:59.091661930 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:55:59.091743946 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:55:59.093053102 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:55:59.093143940 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:55:59.120531082 CEST	49689	80	192.168.2.16	192.229.211.108
Oct 7, 2024 22:55:59.132908106 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:55:59.132932901 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:55:59.180938959 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:55:59.948283911 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 7, 2024 22:56:01.655126095 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:01.655165911 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:01.655258894 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:01.656791925 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:01.656802893 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.274300098 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.274403095 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.281064034 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.281079054 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.281337023 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.335860014 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.379443884 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.527054071 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.527154922 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.527220964 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.527285099 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.527301073 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.527314901 CEST	49711	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.527318954 CEST	443	49711	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.564207077 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.564269066 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:02.564337969 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.564748049 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:02.564765930 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.323100090 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.323187113 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:03.324836969 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:03.324860096 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.325249910 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.327001095 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:03.367423058 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.583031893 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.583115101 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.583839893 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:03.583967924 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:03.584003925 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.584024906 CEST	49712	443	192.168.2.16	184.28.90.27
Oct 7, 2024 22:56:03.584037066 CEST	443	49712	184.28.90.27	192.168.2.16
Oct 7, 2024 22:56:03.594147921 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 7, 2024 22:56:03.895956039 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 7, 2024 22:56:04.502940893 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 7, 2024 22:56:04.758975983 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 7, 2024 22:56:05.508665085 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:05.508770943 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:05.508914948 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:05.510168076 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:05.510214090 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:05.715936899 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 7, 2024 22:56:06.319875956 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.320005894 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.322458029 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.322489023 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.322839975 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.370923996 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.374398947 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.419410944 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.644068003 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.644092083 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.644099951 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.644109964 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.644145012 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.644180059 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.644217968 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.644238949 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.644269943 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.646389008 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.646461010 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.646470070 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.646487951 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.646542072 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.655716896 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.655735970 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:06.655754089 CEST	49713	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:06.655761003 CEST	443	49713	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:08.060139894 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 7, 2024 22:56:08.123953104 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 7, 2024 22:56:08.362961054 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 7, 2024 22:56:08.967962027 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 7, 2024 22:56:08.987598896 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:08.987773895 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:08.987838984 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:56:09.879157066 CEST	49707	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:56:09.879206896 CEST	443	49707	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:10.180963993 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 7, 2024 22:56:12.592014074 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 7, 2024 22:56:12.928010941 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 7, 2024 22:56:14.364044905 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 7, 2024 22:56:17.401129961 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 7, 2024 22:56:22.532025099 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 7, 2024 22:56:27.009085894 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 7, 2024 22:56:34.422136068 CEST	62704	53	192.168.2.16	1.1.1.1
Oct 7, 2024 22:56:34.683108091 CEST	53	62704	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:34.683259964 CEST	62704	53	192.168.2.16	1.1.1.1
Oct 7, 2024 22:56:34.683360100 CEST	62704	53	192.168.2.16	1.1.1.1
Oct 7, 2024 22:56:34.688386917 CEST	53	62704	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:35.122873068 CEST	53	62704	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:35.123696089 CEST	62704	53	192.168.2.16	1.1.1.1
Oct 7, 2024 22:56:35.129379988 CEST	53	62704	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:35.129496098 CEST	62704	53	192.168.2.16	1.1.1.1
Oct 7, 2024 22:56:43.056886911 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:43.056952953 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:43.057054043 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:43.057477951 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:43.057498932 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.414431095 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.414551973 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.416316032 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.416342020 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.416618109 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.418153048 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.463413000 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.747663021 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.747692108 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.747735023 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.747790098 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.747844934 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.747869968 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.747930050 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.749862909 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.749897003 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.749931097 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.749949932 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.749973059 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.749978065 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.750022888 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.750782967 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.750811100 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:44.750828028 CEST	62706	443	192.168.2.16	4.175.87.197
Oct 7, 2024 22:56:44.750834942 CEST	443	62706	4.175.87.197	192.168.2.16
Oct 7, 2024 22:56:58.529175997 CEST	62708	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:56:58.529268026 CEST	443	62708	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:58.529366970 CEST	62708	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:56:58.529566050 CEST	62708	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:56:58.529601097 CEST	443	62708	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:59.715423107 CEST	443	62708	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:59.715753078 CEST	62708	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:56:59.715790987 CEST	443	62708	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:59.716253996 CEST	443	62708	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:59.716525078 CEST	62708	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:56:59.716610909 CEST	443	62708	216.58.206.36	192.168.2.16
Oct 7, 2024 22:56:59.758480072 CEST	62708	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:57:09.039702892 CEST	443	62708	216.58.206.36	192.168.2.16
Oct 7, 2024 22:57:09.039767027 CEST	443	62708	216.58.206.36	192.168.2.16
Oct 7, 2024 22:57:09.039834976 CEST	62708	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:57:09.871119976 CEST	62708	443	192.168.2.16	216.58.206.36
Oct 7, 2024 22:57:09.871195078 CEST	443	62708	216.58.206.36	192.168.2.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:55:53.643821955 CEST	53	62785	1.1.1.1	192.168.2.16
Oct 7, 2024 22:55:53.679207087 CEST	53	53667	1.1.1.1	192.168.2.16
Oct 7, 2024 22:55:54.577210903 CEST	53	62477	1.1.1.1	192.168.2.16
Oct 7, 2024 22:55:54.732949018 CEST	53	49908	1.1.1.1	192.168.2.16
Oct 7, 2024 22:55:58.463021994 CEST	62483	53	192.168.2.16	1.1.1.1
Oct 7, 2024 22:55:58.463134050 CEST	60731	53	192.168.2.16	1.1.1.1
Oct 7, 2024 22:55:58.470616102 CEST	53	62483	1.1.1.1	192.168.2.16
Oct 7, 2024 22:55:58.470822096 CEST	53	60731	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:11.642652035 CEST	53	64860	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:30.372225046 CEST	53	58228	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:34.421698093 CEST	53	59482	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:53.635499954 CEST	53	61998	1.1.1.1	192.168.2.16
Oct 7, 2024 22:56:59.748130083 CEST	138	138	192.168.2.16	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:55:58.463021994 CEST	192.168.2.16	1.1.1.1	0xce33	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:55:58.463134050 CEST	192.168.2.16	1.1.1.1	0x15eb	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:55:58.470616102 CEST	1.1.1.1	192.168.2.16	0xce33	No error (0)	www.google.com		216.58.206.36	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:55:58.470822096 CEST	1.1.1.1	192.168.2.16	0x15eb	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49711	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:56:02 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-07 20:56:02 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF45) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=157780 Date: Mon, 07 Oct 2024 20:56:02 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49712	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:56:03 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-07 20:56:03 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=157715 Date: Mon, 07 Oct 2024 20:56:03 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-07 20:56:03 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49713	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:56:06 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1v7ztRNLeKDkuB2&MD=tprgWTV8 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-07 20:56:06 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 12c407af-7cc5-4b2d-9a91-8243721eaf39 MS-RequestId: cc32a414-334a-4ac9-b41d-b73ee77da7e7 MS-CV: AQ+7+9Loy0i6k4xM.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 07 Oct 2024 20:56:05 GMT Connection: close Content-Length: 24490
2024-10-07 20:56:06 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-07 20:56:06 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.16	62706	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:56:44 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1v7ztRNLeKDkuB2&MD=tprgWTV8 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-07 20:56:44 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: f52bc617-ee3f-48f9-b0c4-9c14d7d2525b MS-RequestId: 8381618b-924d-45f5-8c10-e8fe42ae812c MS-CV: eyrw5OU4xUalsbPY.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 07 Oct 2024 20:56:43 GMT Connection: close Content-Length: 30005
2024-10-07 20:56:44 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-07 20:56:44 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5856, Parent PID: 5756

General

Target ID:	0
Start time:	16:55:51
Start date:	07/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6812, Parent PID: 5856

General

Target ID:	1
Start time:	16:55:52
Start date:	07/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1908,i,7098217179838175974,773093615988550590,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6436, Parent PID: 5756

General

Target ID:	2
Start time:	16:55:53
Start date:	07/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://fonts.googleapis.com/css?family=Roboto:300,400,500,700"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://fonts.googleapis.com/css?family=Roboto:300,400,500,700

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 120

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5856, Parent PID: 5756

General

Chronological Activities

Analysis Process: chrome.exePID: 6812, Parent PID: 5856

General

Chronological Activities

Analysis Process: chrome.exePID: 6436, Parent PID: 5756

General

Windows Analysis Report
https://fonts.googleapis.com/css?family=Roboto:300,400,500,700