Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://amtso.eicar.org/PotentiallyUnwanted.exe

Overview

General Information

Sample URL:http://amtso.eicar.org/PotentiallyUnwanted.exe
Analysis ID:1546341
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file does not import any functions
PE file overlay found
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 6992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 6276 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • PotentiallyUnwanted.exe (PID: 5648 cmdline: "C:\Users\user\Downloads\PotentiallyUnwanted.exe" MD5: 1AC020D35BE34D812D628AF0A5BF29B1)
  • chrome.exe (PID: 6568 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://amtso.eicar.org/PotentiallyUnwanted.exe" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • Taskmgr.exe (PID: 788 cmdline: "C:\Windows\system32\taskmgr.exe" /0 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)
  • Taskmgr.exe (PID: 3540 cmdline: "C:\Windows\system32\taskmgr.exe" /0 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-31T19:37:00.612355+010020229301A Network Trojan was detected52.149.20.212443192.168.2.1749705TCP
2024-10-31T19:37:39.449603+010020229301A Network Trojan was detected52.149.20.212443192.168.2.1749715TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: /opt/package/joesandbox/database/analysis/1546341/temp/droppedscan/chromecache_78Avira: detection malicious, Label: PUA/EICAR-Test-Signature.A
Source: C:\Users\user\Downloads\Unconfirmed 953330.crdownloadAvira: detection malicious, Label: PUA/EICAR-Test-Signature.A
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exe (copy)ReversingLabs: Detection: 86%
Source: C:\Users\user\Downloads\Unconfirmed 953330.crdownloadReversingLabs: Detection: 86%
Source: Chrome Cache Entry: 78ReversingLabs: Detection: 86%
Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.190.159.2:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.23.209.130:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: global trafficHTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.17:49715
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.17:49705
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: global trafficHTTP traffic detected: GET /PotentiallyUnwanted.exe HTTP/1.1Host: amtso.eicar.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CzeDGtsYOg6vRMl&MD=fa3XeZZF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CzeDGtsYOg6vRMl&MD=fa3XeZZF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global trafficHTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAYmHDDRmyane8Fod1HC8VXZMGkU9AejSY1UyQblmBumTKuDI6Id4zhhGfGxqATtVnXS9XF11agZrpFTVEOSdZZ5YaEAUihSl0mI5E81FkfhXarzD9X7SJPfu4/jzv/zyyLY9g4OGWgy2odicFJBMZTfZV1izEcXJ/3PKNAtkXKhtprxWR0vQ0FkhNBTKPfQPf%2B0R1sRjP%2BQ7DpBCroG5i4%2BGyFg4qbUECwclOiGBBJqp8SZCuzcLoKRxPQTMkGVH5rzKd70EXTXDgP1rM4E4ifYHqWSSe1BW9nWHodlRvbXvEZGHygbPgqA8bfmZSw6xZbSY7kh0ASCkVg92NdodOiIQZgAAEMtbzXvQfnGRIi%2BMUCDFlK2wAZuRy29V6i435W16QOF/czggoermpHBXOuqnJwM3cS858K%2ByO5IjLOmHQr8NmB%2B1mbu6x3hl%2B8PoRRl9V6eXlUT3aZwbFPls%2BUoONip2w/lf1egysn71Y74p6DymO90nDStpkboNPPJvPgbaaJcB8KGXCiXJFaOnSXv33lYqpkaXmmpcpIFeizgjH/Q7YL8yMqLqvEagA/In7Ua/cw7dqlJdAsmBuRLsb8k/JREQmeGlJynLJc2HO4LGdS/viIDctGE7v/PkcLWCFf27Y0vV%2BkKf40sCuPByORubRpI9z1QeCP8wWlt0veIGJZ7pHVZbJkwVtaVcLwpJ6d7eWEMePLr3xa43kroVG7wLAgd/xh0HqW436y1N%2BeoCn6NH1vAjQPVFzgTehzsXiT7AeqNSkpyBdmrpHqI1Ij7%2BXm1AXQ%2BFZWLxiKm2td3GrxoZDIleeFy/UYVZhudeWzlFLZozSUd4VDAPjLBEANZZSM1DTpjE7TyvYdJ6bxi8JVL%2BSFDqhgtJwSsYwcS36IisWHOD0xKO71xoFWWDOME5Uvk8C6rwmIEYeyr2sdQkAusHUME0XdoB%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1730399857User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 89D4803490BE43838DD133B3B98DDBB0X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global trafficDNS traffic detected: DNS query: amtso.eicar.org
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: PotentiallyUnwanted.exe, 00000007.00000002.1802934021.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, PotentiallyUnwanted.exe, 00000007.00000002.1802934021.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, PotentiallyUnwanted.exe, 00000007.00000000.1165100131.0000000000A06000.00000002.00000001.01000000.00000004.sdmp, chromecache_78.1.dr, Unconfirmed 953330.crdownload.0.drString found in binary or memory: http://www.amtso.org/feature-settings-check.html
Source: Taskmgr.exe, 0000001A.00000003.1833023391.000002282DDB7000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1831145249.000002282DDB7000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.190.159.2:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.23.209.130:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: 0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp.0.drStatic PE information: No import functions for PE file found
Source: 0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp.0.drStatic PE information: Data appended to the last section found
Source: classification engineClassification label: mal56.win@24/14@6/4
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Windows\System32\Taskmgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: C:\Windows\System32\Taskmgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3540:120:WilError_03
Source: C:\Windows\System32\Taskmgr.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://amtso.eicar.org/PotentiallyUnwanted.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\PotentiallyUnwanted.exe "C:\Users\user\Downloads\PotentiallyUnwanted.exe"
Source: unknownProcess created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /0
Source: unknownProcess created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /0
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\PotentiallyUnwanted.exe "C:\Users\user\Downloads\PotentiallyUnwanted.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Downloads\PotentiallyUnwanted.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\Taskmgr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32Jump to behavior
Source: Google Drive.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\System32\Taskmgr.exeWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Unconfirmed 953330.crdownload.0.drStatic PE information: real checksum: 0xb28f should be: 0xbc9b
Source: chromecache_78.1.drStatic PE information: real checksum: 0xb28f should be: 0xbc9b
Source: 0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp.0.drStatic PE information: real checksum: 0xb28f should be: 0x8396
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmpJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\Unconfirmed 953330.crdownloadJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: Chrome Cache Entry: 78Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\PotentiallyUnwanted.exe (copy)Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: Chrome Cache Entry: 78
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: Chrome Cache Entry: 78Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Taskmgr.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes!
Source: Taskmgr.exe, 0000001A.00000002.1836956928.000002282DE01000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000001A.00000003.1831145249.000002282DD7C000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DD7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor8
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE7E000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service"
Source: Taskmgr.exe, 0000001A.00000003.1832249709.0000022829BC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}(
Source: Taskmgr.exe, 0000001A.00000003.1767398235.000002282DEBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Ha
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE30000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :Hyper-V Data Exchange ServiceH
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisori
Source: Taskmgr.exe, 0000001A.00000003.1772231746.000002282DFEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE79000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000001A.00000003.1772371172.000002282DF0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot$$
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processori
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partitionp!
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partitionpv
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DE29000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1833305286.000002282DE29000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V Heartbeat ServiceVen_VM
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE40000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V pkrutanenxkxbsm Bus Pipes
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (Spatial Data Service&Ven_VMware
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorsys
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE5E000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE5E000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionriv
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE44000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processord{
Source: Taskmgr.exe, 0000001A.00000003.1771970940.000002282E027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: Taskmgr.exe, 0000001A.00000003.1767349527.000002282DFE1000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1767542501.000002282DF23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flu
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE7C000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DD3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device0
Source: Taskmgr.exe, 0000001A.00000003.1828217217.000002282DDFF000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DDFC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 0000001A.00000003.1832554946.000002282DE31000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE30000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828217217.000002282DE31000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >Hyper-V Guest Service Interface
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE48000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZHyper-V Remote Desktop Virtualization Service+
Source: Taskmgr.exe, 0000001A.00000003.1831145249.000002282DDA7000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V pkrutanenxkxbsm BusE
Source: Taskmgr.exe, 0000001A.00000003.1832554946.000002282DE31000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE30000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828217217.000002282DE31000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BHyper-V PowerShell Direct Service
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root PartitioneK
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdownb3c
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827886166.000002282DDEC000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: Taskmgr.exe, 0000001A.00000003.1767640689.000002282DEC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: Taskmgr.exe, 0000001A.00000003.1832554946.000002282DE3B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HHyper-V Time Synchronization Service
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: Taskmgr.exe, 0000001A.00000002.1836722992.000002282DDE2000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition2K
Source: Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE77000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000001A.00000003.1832554946.000002282DE3B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE38000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HHyper-V Volume Shadow Copy Requestor
Source: Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration ServiceA
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE30000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Hyper-V Guest Shutdown Servicez
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE58000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1828965010.000002282DE58000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000003.1825524228.000002282DDCE000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000001A.00000002.1837399067.000002282DE58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
Source: Taskmgr.exe, 0000001A.00000003.1827021728.000002282DE26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0Shell Hardware Detection_VMware
Source: C:\Windows\System32\Taskmgr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\AppIcon.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformationJump to behavior
Source: C:\Windows\System32\Taskmgr.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		11
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		1
Process Injection		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS21
System Information Discovery		Distributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546341 URL: http://amtso.eicar.org/Pote... Startdate: 31/10/2024 Architecture: WINDOWS Score: 56 40 Antivirus detection for dropped file 2->40 42 Multi AV Scanner detection for dropped file 2->42 6 chrome.exe 23 2->6         started        10 Taskmgr.exe 1 14 2->10         started        12 chrome.exe 2->12         started        14 Taskmgr.exe 2->14         started        process3 dnsIp4 36 192.168.2.17, 138, 443, 49672 unknown unknown 6->36 38 239.255.255.250 unknown Reserved 6->38 26 C:\Users\...\Unconfirmed 953330.crdownload, PE32 6->26 dropped 28 C:\Users\...\PotentiallyUnwanted.exe (copy), PE32 6->28 dropped 30 0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp, PE32 6->30 dropped 16 chrome.exe 6->16         started        20 chrome.exe 6->20         started        22 PotentiallyUnwanted.exe 6->22         started        file5 process6 dnsIp7 32 amtso.eicar.org 81.7.7.163, 443, 49700, 49701 ISPPRO-ASISPPRO-AScoversthenetworksofISPproDE Germany 16->32 34 www.google.com 142.250.185.196, 443, 49704, 49723 GOOGLEUS United States 16->34 24 Chrome Cache Entry: 78, PE32 16->24 dropped file8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
/opt/package/joesandbox/database/analysis/1546341/temp/droppedscan/chromecache_78100%AviraPUA/EICAR-Test-Signature.A
C:\Users\user\Downloads\Unconfirmed 953330.crdownload100%AviraPUA/EICAR-Test-Signature.A
C:\Users\user\Downloads\PotentiallyUnwanted.exe (copy)87%ReversingLabsWin32.PUA.AMTSOTestFile
C:\Users\user\Downloads\Unconfirmed 953330.crdownload87%ReversingLabsWin32.PUA.AMTSOTestFile
Chrome Cache Entry: 7887%ReversingLabsWin32.PUA.AMTSOTestFile

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.185.196
truefalse
    		unknown
    amtso.eicar.org
    		81.7.7.163
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://amtso.eicar.org/PotentiallyUnwanted.exefalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.amtso.org/feature-settings-check.htmlPotentiallyUnwanted.exe, 00000007.00000002.1802934021.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, PotentiallyUnwanted.exe, 00000007.00000002.1802934021.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, PotentiallyUnwanted.exe, 00000007.00000000.1165100131.0000000000A06000.00000002.00000001.01000000.00000004.sdmp, chromecache_78.1.dr, Unconfirmed 953330.crdownload.0.drfalse
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          239.255.255.250
          		unknownReserved
          		unknownunknownfalse
          142.250.185.196
          		www.google.comUnited States
          		15169GOOGLEUSfalse
          81.7.7.163
          		amtso.eicar.orgGermany
          		35366ISPPRO-ASISPPRO-AScoversthenetworksofISPproDEfalse

          Private

          IP
          192.168.2.17

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1546341
          Start date and time:2024-10-31 19:36:16 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 7s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsinteractivecookbook.jbs
          Sample URL:http://amtso.eicar.org/PotentiallyUnwanted.exe
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:28
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:1
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal56.win@24/14@6/4
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, TextInputHost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 142.250.185.195, 142.250.181.238, 142.251.168.84, 34.104.35.123, 217.20.57.19, 192.229.221.95, 142.250.186.131, 142.250.185.110
          • Excluded domains from analysis (whitelisted): www.bing.com, clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, login.live.com, evoke-windowsservices-tas.msedge.net, update.googleapis.com, clients.l.google.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenFile calls found.
          • Report size getting too big, too many NtOpenKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: http://amtso.eicar.org/PotentiallyUnwanted.exe

          Simulations

          Behavior and APIs

          No simulations

          LLM Input / Output

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

          Download File
          Process:C:\Windows\System32\Taskmgr.exe
          File Type:data
          Category:dropped
          Size (bytes):65552
          Entropy (8bit):0.012543881408137456
          Encrypted:false
          SSDEEP:3:mnlllGlll/l/lXp9ZjrPBY06llSl/gX/ZP:mll0dPBY0O0uXJ
          MD5:D2FB266B97CAFF2086BF0FA74EDDB6B2
          SHA1:2F0061CE9C51B5B4FBAB76B37FC6A540BE7F805D
          SHA-256:B09F68B61D9FF5A7C7C8B10EEE9447D4813EE0E866346E629E788CD4ADECB66A
          SHA-512:C3BA95A538C1D266BEB83334AF755C34CE642A4178AB0F2E5F7822FD6821D3B68862A8B58F167A9294E6D913B08C1054A69B5D7AEC2EFDB3CF9796ED84DE21A8
          Malicious:false
          Reputation:low
          Preview:.6.G........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

          Download File
          Process:C:\Windows\System32\Taskmgr.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):4
          Entropy (8bit):1.5
          Encrypted:false
          SSDEEP:3:R:R
          MD5:F49655F856ACB8884CC0ACE29216F511
          SHA1:CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
          SHA-256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
          SHA-512:599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
          Malicious:false
          Reputation:low
          Preview:EERF

          C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

          Download File
          Process:C:\Windows\System32\Taskmgr.exe
          File Type:Matlab v4 mat-file (little endian) (, numeric, rows 0, columns 16, imaginary
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.020771427571626165
          Encrypted:false
          SSDEEP:3:9llHlJd2DJqojBdl+Sli5lWyyHk15lxEBldttXllaia9sVQMm6En:i9q0Bn+SkSJkJ+Tdtz2Hrn
          MD5:FAAF81E039656B877722B8771EA6D053
          SHA1:E8C6B9F47130847654DF1AFBE62406E8779B7C56
          SHA-256:30839B97B27F7EC2AD9DEBF5590B0B5CAC4DB2FE5BB86AAD58D623B942D639FC
          SHA-512:F03AE7F7A4AF30FB0131E61003B0068FB9715C0F8989CBF2CE7A64710DB884A89FF9415DB5D57B1D8DD0421F6132F6B5EFEBEE3D1C07CC995018EE540000BFB5
          Malicious:false
          Reputation:low
          Preview:................@...(....x:no.&A.e.u~+..C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.t.a.s.k.m.g.r...e.x.e...............................(...p.DJ!.IL.....Zm.F............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 17:36:46 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2677
          Entropy (8bit):3.998553522344505
          Encrypted:false
          SSDEEP:48:8UVdpTq7nsEH4idAKZdA1JehwiZUklqeh1y+3:8UBgsbyy
          MD5:0D78C236EDEAADE404B0761880B08B71
          SHA1:87EEBD9BE198D48A8F64F398D63D3F4E5BF62533
          SHA-256:F187400B2C0450E3EE220931FC838CE268D7300C54E5836A6CBC21CD59BCB5AD
          SHA-512:91B89F9834A1B54330DDA850E62B88BE6E38BB4FE7E19604D54D2F5D0F4C147339C9AD559DBA844C5F405543B699631F18C41D88425AC6DCB9464DAAB649C024
          Malicious:false
          Reputation:low
          Preview:L..................F.@.. ...$+.,.....wZ..+......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I_Y......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_Y......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V_Y......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V_Y.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V_Y.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 17:36:46 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2679
          Entropy (8bit):4.013832887821926
          Encrypted:false
          SSDEEP:48:8CVdpTq7nsEH4idAKZdA10eh/iZUkAQkqehiy+2:8CBgsZ9Qvy
          MD5:841F0FF0ED3C4CD14D16045C853F8531
          SHA1:275EFB36C4B3FCE6042DE75ADD14515BD5139C10
          SHA-256:70DB07FEB2BD663EF77D913853E42ED8C4C8EE72C2EBE1B5C3F198E6C43D1302
          SHA-512:8BD87A826F6C73660AD3A1650DDDD7B4562A3120B513B37B107CD2B6DC765AF380C636638D3B1AFC1854204565F72430D5D5371EED88EE0659A37C388F610BAF
          Malicious:false
          Reputation:low
          Preview:L..................F.@.. ...$+.,......N..+......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I_Y......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_Y......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V_Y......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V_Y.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V_Y.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2693
          Entropy (8bit):4.021014571871771
          Encrypted:false
          SSDEEP:48:8eVdpTq7njH4idAKZdA14tIeh7sFiZUkmgqeh7s8y+BX:8eBgUney
          MD5:5029FD7B93605ECE8F2F199EB2040317
          SHA1:232CAEEDDE924A88777AB403EFCBD59E2AE4D747
          SHA-256:D5CFBC67C47270CDDC916B77DE2A5867C933647FD8E152AB02B631D9B616ACF7
          SHA-512:45E57159BFF919A6B0C71D838DD1A731DC1F80620012BA628847AAB448DE0EB90913E4760A06030761928CD125778C29695386BFF0E2DBF81954A7BE88826CCF
          Malicious:false
          Reputation:low
          Preview:L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I_Y......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_Y......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V_Y......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V_Y.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 17:36:46 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2681
          Entropy (8bit):4.009549119084107
          Encrypted:false
          SSDEEP:48:8GVdpTq7nsEH4idAKZdA1behDiZUkwqehWy+R:8GBgsqUy
          MD5:00F00C4C1576F4383BAC1B8C39DB0397
          SHA1:69D8C7BEF5CF1BABB2A72789B5F7FDAD3739E6AD
          SHA-256:5A6445B95076F7737D9342B742C84039E0E4B71D97FE8F390D729C67091B3C9B
          SHA-512:918A8AD10624C7FB542455E03002BC27AF589427C4E0433A7CA2F0DDEFFE1B39BB973093C11F8C9DEA08549DF2AFF8DD04F9C7E8BFAAA3A07908F50EBD746679
          Malicious:false
          Reputation:low
          Preview:L..................F.@.. ...$+.,......H..+......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I_Y......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_Y......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V_Y......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V_Y.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V_Y.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 17:36:46 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2681
          Entropy (8bit):4.000095137300277
          Encrypted:false
          SSDEEP:48:8OVdpTq7nsEH4idAKZdA1VehBiZUk1W1qehYy+C:8OBgsq94y
          MD5:6B220DA048DB6C200BBD727A36DA0B82
          SHA1:1C32922ED86042DF903DD6C8109F86ABE3C4FD3B
          SHA-256:3E87FDA9268CFB6848FC2425FE2E9D158E088FD17451F0C225B02EAA46FF6625
          SHA-512:4E188D086877615FF7567CEEEB9F4A24EF1C52391567516CCF9CE5AAB225795EACD609D64090A6F03C20E6C76196AC29D50C69FA36482B5976459E30ABAEE42C
          Malicious:false
          Reputation:low
          Preview:L..................F.@.. ...$+.,....@.T..+......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I_Y......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_Y......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V_Y......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V_Y.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V_Y.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 17:36:46 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2683
          Entropy (8bit):4.010084780484445
          Encrypted:false
          SSDEEP:48:8JVdpTq7nsEH4idAKZdA1duT6ehOuTbbiZUk5OjqehOuTbey+yT+:8JBgs4TTTbxWOvTbey7T
          MD5:BE53FC20F9475775D885A50D49A8B0F1
          SHA1:113583614C7E049AD61C2D1D931EB97B128AA4E6
          SHA-256:DCD8D36C4B2173C1E3B8BB01635C76FECF7B1D1A71B92C74D7310176427D5238
          SHA-512:EE28A8A0FAB9DF81CF9D5A0D79C18C255169810D7D7393ECE6718A2EB6E74DCCB190AEDC6FCCCE880D1C0AC6B9CE36B8A8E9DA6D1912D8A89AE7F28C21534035
          Malicious:false
          Reputation:low
          Preview:L..................F.@.. ...$+.,.....R=..+......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I_Y......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_Y......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V_Y......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V_Y.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V_Y.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\Downloads\0ef1f9d5-2a2c-4596-ae0d-720967c37bbd.tmp

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):7912
          Entropy (8bit):6.0838410182858205
          Encrypted:false
          SSDEEP:192:TqnViYGbUTHPfThdyRD7AVuuy4K8lZoDpECim:Tq5RHPNdu8uugaZoD0m
          MD5:C169DF19B05B48671FFDEDBDAC9E3560
          SHA1:69847409E758A610E782AF6690179827290A536E
          SHA-256:B0C71DE5C90B05CF77BE58CF6690EFAA6E67D127DD27E67DC77C6EBF0F097B39
          SHA-512:516FF3A404EF02DCA992D0D87EC39DC32126A1197FFB1B9FE2CA0D6D51D04633027261B12F3542AD4D681431650DA71B0F44BD48F08A607528E4EB7DEAC155F7
          Malicious:true
          Reputation:low
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.VL[k.L[k.L[k.W...F[k.W...D[k.W...t[k.E#..I[k.L[j.s[k.W...M[k.W...M[k.RichL[k.........PE..L.....]Q.................F...8...............`....@.......................................@.................................\{..<...................................................................hy..@............`...............................text...2D.......F.................. ..`.rdata... ...`..."...J..............@..@.data................l..............@....rsrc................x..............@..@.reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\Downloads\PotentiallyUnwanted.exe (copy)

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):33282
          Entropy (8bit):5.86441905074689
          Encrypted:false
          SSDEEP:384:Tq5RHPNdu8uugaZoD0F9+rhQfdJkd/+vO2Dp/EDH6Nb0nuxw1mP+fXNGDvIrxJ:hN0FEheQohEDaNAnmEmANtrv
          MD5:1AC020D35BE34D812D628AF0A5BF29B1
          SHA1:8E0AB1E02E94700A153804585E59E30CB3DFB557
          SHA-256:42D6581DD0A2BA9BEC6A40C5B7C85870A8019D7347C9130D24752EC5865F0732
          SHA-512:11FBEEE6ABCE03FAF07BC566AC770F471028BB2FBED2489EC4C276EC6826C79651B1B4071B4C2361DC5926F2B0BFE5ADD120C717B2109A87142C4F8B5CEBD165
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 87%
          Reputation:low
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.VL[k.L[k.L[k.W...F[k.W...D[k.W...t[k.E#..I[k.L[j.s[k.W...M[k.W...M[k.RichL[k.........PE..L.....]Q.................F...8...............`....@.......................................@.................................\{..<...................................................................hy..@............`...............................text...2D.......F.................. ..`.rdata... ...`..."...J..............@..@.data................l..............@....rsrc................x..............@..@.reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\Downloads\Unconfirmed 953330.crdownload

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):33282
          Entropy (8bit):5.86441905074689
          Encrypted:false
          SSDEEP:384:Tq5RHPNdu8uugaZoD0F9+rhQfdJkd/+vO2Dp/EDH6Nb0nuxw1mP+fXNGDvIrxJ:hN0FEheQohEDaNAnmEmANtrv
          MD5:1AC020D35BE34D812D628AF0A5BF29B1
          SHA1:8E0AB1E02E94700A153804585E59E30CB3DFB557
          SHA-256:42D6581DD0A2BA9BEC6A40C5B7C85870A8019D7347C9130D24752EC5865F0732
          SHA-512:11FBEEE6ABCE03FAF07BC566AC770F471028BB2FBED2489EC4C276EC6826C79651B1B4071B4C2361DC5926F2B0BFE5ADD120C717B2109A87142C4F8B5CEBD165
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 87%
          Reputation:low
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.VL[k.L[k.L[k.W...F[k.W...D[k.W...t[k.E#..I[k.L[j.s[k.W...M[k.W...M[k.RichL[k.........PE..L.....]Q.................F...8...............`....@.......................................@.................................\{..<...................................................................hy..@............`...............................text...2D.......F.................. ..`.rdata... ...`..."...J..............@..@.data................l..............@....rsrc................x..............@..@.reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................

          Chrome Cache Entry: 78

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:downloaded
          Size (bytes):33282
          Entropy (8bit):5.86441905074689
          Encrypted:false
          SSDEEP:384:Tq5RHPNdu8uugaZoD0F9+rhQfdJkd/+vO2Dp/EDH6Nb0nuxw1mP+fXNGDvIrxJ:hN0FEheQohEDaNAnmEmANtrv
          MD5:1AC020D35BE34D812D628AF0A5BF29B1
          SHA1:8E0AB1E02E94700A153804585E59E30CB3DFB557
          SHA-256:42D6581DD0A2BA9BEC6A40C5B7C85870A8019D7347C9130D24752EC5865F0732
          SHA-512:11FBEEE6ABCE03FAF07BC566AC770F471028BB2FBED2489EC4C276EC6826C79651B1B4071B4C2361DC5926F2B0BFE5ADD120C717B2109A87142C4F8B5CEBD165
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 87%
          Reputation:low
          URL:https://amtso.eicar.org/PotentiallyUnwanted.exe
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.VL[k.L[k.L[k.W...F[k.W...D[k.W...t[k.E#..I[k.L[j.s[k.W...M[k.W...M[k.RichL[k.........PE..L.....]Q.................F...8...............`....@.......................................@.................................\{..<...................................................................hy..@............`...............................text...2D.......F.................. ..`.rdata... ...`..."...J..............@..@.data................l..............@....rsrc................x..............@..@.reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................

          Static File Info

          No static file info

          Network Behavior

          Suricata IDS Alerts

          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
          2024-10-31T19:37:00.612355+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.1749705TCP
          2024-10-31T19:37:39.449603+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.1749715TCP

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 31, 2024 19:36:46.443619013 CET4970080192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:46.443774939 CET4970180192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:46.448564053 CET804970081.7.7.163192.168.2.17
          Oct 31, 2024 19:36:46.448640108 CET4970080192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:46.449099064 CET804970181.7.7.163192.168.2.17
          Oct 31, 2024 19:36:46.449148893 CET4970180192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:46.466542006 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:46.466597080 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:46.466661930 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:46.467364073 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:46.467390060 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.167511940 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.167866945 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.167907000 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.169013023 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.169094086 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.170061111 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.170135021 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.170228958 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.170237064 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.175292015 CET49678443192.168.2.17204.79.197.200
          Oct 31, 2024 19:36:48.175308943 CET49677443192.168.2.17204.79.197.200
          Oct 31, 2024 19:36:48.175359011 CET49676443192.168.2.17204.79.197.200
          Oct 31, 2024 19:36:48.222304106 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.432172060 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.432199955 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.432208061 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.432235003 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.432270050 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.432301998 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.432317972 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.478306055 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.478334904 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.526294947 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.557292938 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.557313919 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.557353020 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.557430983 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.557466030 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.557473898 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.606322050 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.686105967 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.686122894 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.686204910 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:48.686252117 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:48.686312914 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:49.307362080 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:49.307382107 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:49.307410002 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:49.307507992 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:49.307518005 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:49.307560921 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:49.307590961 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:49.307837009 CET49702443192.168.2.1781.7.7.163
          Oct 31, 2024 19:36:49.307854891 CET4434970281.7.7.163192.168.2.17
          Oct 31, 2024 19:36:50.372720957 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:36:50.372782946 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:36:50.372848988 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:36:50.373193979 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:36:50.373208046 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:36:51.228382111 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:36:51.228773117 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:36:51.228811979 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:36:51.229880095 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:36:51.229950905 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:36:51.231121063 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:36:51.231183052 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:36:51.281368017 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:36:51.281410933 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:36:51.329334974 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:36:58.475266933 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:36:58.475328922 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:36:58.475404024 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:36:58.477137089 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:36:58.477149963 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:36:59.378400087 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:36:59.378504038 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:36:59.380985022 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:36:59.380999088 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:36:59.381244898 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:36:59.421339989 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:00.314603090 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:00.359332085 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611545086 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611574888 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611582994 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611592054 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611615896 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611651897 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:00.611679077 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611695051 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:00.611721039 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:00.611722946 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611735106 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.611778021 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:00.611784935 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.612276077 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:00.612335920 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:01.232669115 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:01.232739925 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:01.232799053 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:37:01.497174025 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:01.497227907 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:01.497240067 CET49705443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:01.497246981 CET4434970552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:01.803843021 CET49704443192.168.2.17142.250.185.196
          Oct 31, 2024 19:37:01.803879023 CET44349704142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:04.931796074 CET49675443192.168.2.17204.79.197.203
          Oct 31, 2024 19:37:05.235405922 CET49675443192.168.2.17204.79.197.203
          Oct 31, 2024 19:37:05.843388081 CET49675443192.168.2.17204.79.197.203
          Oct 31, 2024 19:37:07.043447018 CET49675443192.168.2.17204.79.197.203
          Oct 31, 2024 19:37:07.078654051 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:07.078718901 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:07.078824997 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:07.079763889 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:07.079799891 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:07.925286055 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:07.925398111 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:07.928823948 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:07.928837061 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:07.929083109 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:07.971395969 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:07.972165108 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:08.015342951 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:08.214534998 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:08.214612961 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:08.214708090 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:08.214803934 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:08.214829922 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:08.214855909 CET49713443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:08.214863062 CET44349713184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:08.247033119 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:08.247076035 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:08.247148037 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:08.247559071 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:08.247575045 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.090796947 CET49680443192.168.2.1720.189.173.13
          Oct 31, 2024 19:37:09.107130051 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.107335091 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:09.108377934 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:09.108393908 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.108643055 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.109756947 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:09.155329943 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.353308916 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.353538036 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.353620052 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:09.354420900 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:09.354440928 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.354453087 CET49714443192.168.2.17184.28.90.27
          Oct 31, 2024 19:37:09.354458094 CET44349714184.28.90.27192.168.2.17
          Oct 31, 2024 19:37:09.394397020 CET49680443192.168.2.1720.189.173.13
          Oct 31, 2024 19:37:09.456393957 CET49675443192.168.2.17204.79.197.203
          Oct 31, 2024 19:37:09.999454975 CET49680443192.168.2.1720.189.173.13
          Oct 31, 2024 19:37:11.199451923 CET49680443192.168.2.1720.189.173.13
          Oct 31, 2024 19:37:13.612426043 CET49680443192.168.2.1720.189.173.13
          Oct 31, 2024 19:37:14.266449928 CET49675443192.168.2.17204.79.197.203
          Oct 31, 2024 19:37:17.545587063 CET4968280192.168.2.17192.229.211.108
          Oct 31, 2024 19:37:17.849591017 CET4968280192.168.2.17192.229.211.108
          Oct 31, 2024 19:37:18.425468922 CET49680443192.168.2.1720.189.173.13
          Oct 31, 2024 19:37:18.457500935 CET4968280192.168.2.17192.229.211.108
          Oct 31, 2024 19:37:19.670495033 CET4968280192.168.2.17192.229.211.108
          Oct 31, 2024 19:37:22.077589989 CET4968280192.168.2.17192.229.211.108
          Oct 31, 2024 19:37:23.881516933 CET49675443192.168.2.17204.79.197.203
          Oct 31, 2024 19:37:26.886492968 CET4968280192.168.2.17192.229.211.108
          Oct 31, 2024 19:37:28.036474943 CET49680443192.168.2.1720.189.173.13
          Oct 31, 2024 19:37:31.457504988 CET4970080192.168.2.1781.7.7.163
          Oct 31, 2024 19:37:31.457508087 CET4970180192.168.2.1781.7.7.163
          Oct 31, 2024 19:37:31.462430000 CET804970081.7.7.163192.168.2.17
          Oct 31, 2024 19:37:31.462445974 CET804970181.7.7.163192.168.2.17
          Oct 31, 2024 19:37:36.488575935 CET4968280192.168.2.17192.229.211.108
          Oct 31, 2024 19:37:37.979301929 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:37.979415894 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:37.979614973 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:37.979969025 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:37.979996920 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:38.460840940 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:38.460946083 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:38.461039066 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:38.462112904 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:38.462142944 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:38.748507977 CET804970081.7.7.163192.168.2.17
          Oct 31, 2024 19:37:38.748569965 CET4970080192.168.2.1781.7.7.163
          Oct 31, 2024 19:37:38.763801098 CET804970181.7.7.163192.168.2.17
          Oct 31, 2024 19:37:38.763869047 CET4970180192.168.2.1781.7.7.163
          Oct 31, 2024 19:37:38.777745008 CET49718443192.168.2.1713.107.5.88
          Oct 31, 2024 19:37:38.777786016 CET4434971813.107.5.88192.168.2.17
          Oct 31, 2024 19:37:38.777868032 CET49718443192.168.2.1713.107.5.88
          Oct 31, 2024 19:37:38.809459925 CET49718443192.168.2.1713.107.5.88
          Oct 31, 2024 19:37:38.809499979 CET4434971813.107.5.88192.168.2.17
          Oct 31, 2024 19:37:39.138016939 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.138133049 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.139780998 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.139806032 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.140189886 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.146075010 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.187352896 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.447432995 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.447504997 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.447561979 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.447638988 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.447638988 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.447689056 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.447755098 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.449135065 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.449218035 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.449223995 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.449254036 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.449295044 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.449385881 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.449445963 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.450684071 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.450684071 CET49715443192.168.2.1752.149.20.212
          Oct 31, 2024 19:37:39.450721979 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.450745106 CET4434971552.149.20.212192.168.2.17
          Oct 31, 2024 19:37:39.536056995 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.536130905 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:39.553177118 CET4434971813.107.5.88192.168.2.17
          Oct 31, 2024 19:37:39.553267002 CET49718443192.168.2.1713.107.5.88
          Oct 31, 2024 19:37:39.556483984 CET49718443192.168.2.1713.107.5.88
          Oct 31, 2024 19:37:39.556502104 CET4434971813.107.5.88192.168.2.17
          Oct 31, 2024 19:37:39.556710958 CET4434971813.107.5.88192.168.2.17
          Oct 31, 2024 19:37:39.569590092 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:39.569658995 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.570574999 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.571899891 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:39.571960926 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:39.571988106 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.596468925 CET49718443192.168.2.1713.107.5.88
          Oct 31, 2024 19:37:39.639337063 CET4434971813.107.5.88192.168.2.17
          Oct 31, 2024 19:37:39.723390102 CET4434971813.107.5.88192.168.2.17
          Oct 31, 2024 19:37:39.725132942 CET4434971813.107.5.88192.168.2.17
          Oct 31, 2024 19:37:39.725204945 CET49718443192.168.2.1713.107.5.88
          Oct 31, 2024 19:37:39.736486912 CET49718443192.168.2.1713.107.5.88
          Oct 31, 2024 19:37:39.807450056 CET4970080192.168.2.1781.7.7.163
          Oct 31, 2024 19:37:39.807499886 CET4970180192.168.2.1781.7.7.163
          Oct 31, 2024 19:37:39.812457085 CET804970081.7.7.163192.168.2.17
          Oct 31, 2024 19:37:39.812617064 CET804970181.7.7.163192.168.2.17
          Oct 31, 2024 19:37:39.907459974 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.907524109 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.907602072 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:39.907622099 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.907665968 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.907686949 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:39.908241034 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:39.908263922 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:39.908576012 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.908658028 CET4434971720.190.159.2192.168.2.17
          Oct 31, 2024 19:37:39.908822060 CET49717443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:40.015175104 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:40.015269995 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:40.015371084 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:40.015535116 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:40.015563011 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.445782900 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.446444035 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.446492910 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.447340965 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.447355032 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.447397947 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.447407961 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.781430960 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.781505108 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.781573057 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.781599998 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.781619072 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.781639099 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.781996012 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.782010078 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.782021046 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.782365084 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.782458067 CET4434971920.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.782531977 CET49719443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.848042011 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.848084927 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:41.848381042 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.848579884 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:41.848594904 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.055408001 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.056641102 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:43.056641102 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:43.056667089 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.056678057 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.056711912 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:43.056720018 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.428214073 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.428273916 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.428349972 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.428359032 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:43.428392887 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.428421974 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:43.429012060 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:43.429012060 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:43.429030895 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.429354906 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.429445982 CET4434972020.190.159.2192.168.2.17
          Oct 31, 2024 19:37:43.429490089 CET49720443192.168.2.1720.190.159.2
          Oct 31, 2024 19:37:43.560837984 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:43.560913086 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:43.561136961 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:43.563194036 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:43.563218117 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.403251886 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.403332949 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.411071062 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.411084890 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.411514997 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.411562920 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.413501978 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.413537025 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.701129913 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.701215982 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.701244116 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.701278925 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.701337099 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.701343060 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.701381922 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.701416016 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:44.701474905 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.704215050 CET49721443192.168.2.172.23.209.130
          Oct 31, 2024 19:37:44.704232931 CET443497212.23.209.130192.168.2.17
          Oct 31, 2024 19:37:50.422673941 CET49723443192.168.2.17142.250.185.196
          Oct 31, 2024 19:37:50.422723055 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:50.422821045 CET49723443192.168.2.17142.250.185.196
          Oct 31, 2024 19:37:50.423031092 CET49723443192.168.2.17142.250.185.196
          Oct 31, 2024 19:37:50.423046112 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:51.281371117 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:51.281765938 CET49723443192.168.2.17142.250.185.196
          Oct 31, 2024 19:37:51.281793118 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:51.282671928 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:51.283066988 CET49723443192.168.2.17142.250.185.196
          Oct 31, 2024 19:37:51.283174992 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:37:51.333622932 CET49723443192.168.2.17142.250.185.196
          Oct 31, 2024 19:38:01.298093081 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:38:01.298198938 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:38:01.298454046 CET49723443192.168.2.17142.250.185.196
          Oct 31, 2024 19:38:01.800230980 CET49723443192.168.2.17142.250.185.196
          Oct 31, 2024 19:38:01.800254107 CET44349723142.250.185.196192.168.2.17
          Oct 31, 2024 19:38:30.511337996 CET44349691204.79.197.200192.168.2.17
          Oct 31, 2024 19:38:30.511564016 CET49691443192.168.2.17204.79.197.200

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 31, 2024 19:36:45.560864925 CET53573081.1.1.1192.168.2.17
          Oct 31, 2024 19:36:45.603020906 CET53653821.1.1.1192.168.2.17
          Oct 31, 2024 19:36:46.422734022 CET6317253192.168.2.171.1.1.1
          Oct 31, 2024 19:36:46.422878981 CET5670753192.168.2.171.1.1.1
          Oct 31, 2024 19:36:46.432660103 CET5633853192.168.2.171.1.1.1
          Oct 31, 2024 19:36:46.432821035 CET4967253192.168.2.171.1.1.1
          Oct 31, 2024 19:36:46.436470985 CET53631721.1.1.1192.168.2.17
          Oct 31, 2024 19:36:46.455899000 CET53496721.1.1.1192.168.2.17
          Oct 31, 2024 19:36:46.465780973 CET53563381.1.1.1192.168.2.17
          Oct 31, 2024 19:36:46.583702087 CET53567071.1.1.1192.168.2.17
          Oct 31, 2024 19:36:46.838248014 CET53584921.1.1.1192.168.2.17
          Oct 31, 2024 19:36:50.364495039 CET6205753192.168.2.171.1.1.1
          Oct 31, 2024 19:36:50.364659071 CET5523653192.168.2.171.1.1.1
          Oct 31, 2024 19:36:50.371407032 CET53620571.1.1.1192.168.2.17
          Oct 31, 2024 19:36:50.371843100 CET53552361.1.1.1192.168.2.17
          Oct 31, 2024 19:37:03.868024111 CET53627181.1.1.1192.168.2.17
          Oct 31, 2024 19:37:22.693818092 CET53540191.1.1.1192.168.2.17
          Oct 31, 2024 19:37:45.545942068 CET53604761.1.1.1192.168.2.17
          Oct 31, 2024 19:37:45.655625105 CET53578861.1.1.1192.168.2.17
          Oct 31, 2024 19:38:06.311728001 CET138138192.168.2.17192.168.2.255
          Oct 31, 2024 19:38:14.434433937 CET53568801.1.1.1192.168.2.17

          ICMP Packets

          TimestampSource IPDest IPChecksumCodeType
          Oct 31, 2024 19:36:46.583756924 CET192.168.2.171.1.1.1c231(Port unreachable)Destination Unreachable

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Oct 31, 2024 19:36:46.422734022 CET192.168.2.171.1.1.10x8c7bStandard query (0)amtso.eicar.orgA (IP address)IN (0x0001)false
          Oct 31, 2024 19:36:46.422878981 CET192.168.2.171.1.1.10x4bd2Standard query (0)amtso.eicar.org65IN (0x0001)false
          Oct 31, 2024 19:36:46.432660103 CET192.168.2.171.1.1.10xc5cdStandard query (0)amtso.eicar.orgA (IP address)IN (0x0001)false
          Oct 31, 2024 19:36:46.432821035 CET192.168.2.171.1.1.10xb655Standard query (0)amtso.eicar.org65IN (0x0001)false
          Oct 31, 2024 19:36:50.364495039 CET192.168.2.171.1.1.10xc967Standard query (0)www.google.comA (IP address)IN (0x0001)false
          Oct 31, 2024 19:36:50.364659071 CET192.168.2.171.1.1.10xefa5Standard query (0)www.google.com65IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Oct 31, 2024 19:36:46.436470985 CET1.1.1.1192.168.2.170x8c7bNo error (0)amtso.eicar.org81.7.7.163A (IP address)IN (0x0001)false
          Oct 31, 2024 19:36:46.465780973 CET1.1.1.1192.168.2.170xc5cdNo error (0)amtso.eicar.org81.7.7.163A (IP address)IN (0x0001)false
          Oct 31, 2024 19:36:50.371407032 CET1.1.1.1192.168.2.170xc967No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)false
          Oct 31, 2024 19:36:50.371843100 CET1.1.1.1192.168.2.170xefa5No error (0)www.google.com65IN (0x0001)false

          HTTP Request Dependency Graph

          • amtso.eicar.org
          • slscr.update.microsoft.com
          • fs.microsoft.com
          • login.live.com
          • evoke-windowsservices-tas.msedge.net
          • www.bing.com

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.174970081.7.7.163806992C:\Program Files\Google\Chrome\Application\chrome.exe
          TimestampBytes transferredDirectionData
          Oct 31, 2024 19:37:31.457504988 CET6OUTData Raw: 00
          Data Ascii:


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          1192.168.2.174970181.7.7.163806992C:\Program Files\Google\Chrome\Application\chrome.exe
          TimestampBytes transferredDirectionData
          Oct 31, 2024 19:37:31.457508087 CET6OUTData Raw: 00
          Data Ascii:


          HTTPS Proxied Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.174970281.7.7.1634436992C:\Program Files\Google\Chrome\Application\chrome.exe
          TimestampBytes transferredDirectionData
          2024-10-31 18:36:48 UTC681OUTGET /PotentiallyUnwanted.exe HTTP/1.1
          Host: amtso.eicar.org
          Connection: keep-alive
          Upgrade-Insecure-Requests: 1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
          sec-ch-ua-mobile: ?0
          sec-ch-ua-platform: "Windows"
          Sec-Fetch-Site: none
          Sec-Fetch-Mode: navigate
          Sec-Fetch-User: ?1
          Sec-Fetch-Dest: document
          Accept-Encoding: gzip, deflate, br
          Accept-Language: en-US,en;q=0.9
          2024-10-31 18:36:48 UTC274INHTTP/1.1 200 OK
          Date: Thu, 31 Oct 2024 18:36:48 GMT
          Server: Apache
          Content-disposition: attachment; filename="PotentiallyUnwanted.exe"
          Cache-control: private
          Upgrade: h2
          Connection: Upgrade, close
          Transfer-Encoding: chunked
          Content-Type: application/octet-stream
          2024-10-31 18:36:48 UTC7918INData Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 08 3a 05 56 4c 5b 6b 05 4c 5b 6b 05 4c 5b 6b 05 57 c6 c0 05 46 5b 6b 05 57 c6 f5 05 44 5b 6b 05 57 c6 c1 05 74 5b 6b 05 45 23 f8 05 49 5b 6b 05 4c 5b 6a 05 73 5b 6b 05 57 c6 c4 05 4d 5b 6b 05 57 c6 f6 05 4d 5b 6b 05 52 69 63 68 4c 5b 6b 05 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ef ef 5d 51 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 46 00 00 00
          Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$:VL[kL[kL[kWF[kWD[kWt[kE#I[kL[js[kWM[kWM[kRichL[kPEL]QF
          2024-10-31 18:36:48 UTC280INData Raw: 00 83 fb 08 75 2c 8b 0d c8 6b 40 00 89 4d dc 8b 0d cc 6b 40 00 03 0d c8 6b 40 00 39 4d dc 7d 19 8b 4d dc 6b c9 0c 8b 57 5c 89 44 11 08 ff 45 dc eb dd e8 3d f5 ff ff 89 06 c7 45 fc fe ff ff ff e8 15 00 00 00 83 fb 08 75 1f ff 77 64 53 ff 55 e0 59 eb 19 8b 5d 08 8b 7d d8 83 7d e4 00 74 08 6a 00 e8 1e fd ff ff 59 c3 53 ff 55 e0 59 83 fb 08 74 0a 83 fb 0b 74 05 83 fb 04 75 11 8b 45 d4 89 47 60 83 fb 08 75 06 8b 45 d0 89 47 64 33 c0 e8 b8 f9 ff ff c3 8b ff 55 8b ec 8b 45 08 a3 34 a7 40 00 5d c3 8b ff 55 8b ec 8b 45 08 a3 38 a7 40 00 5d c3 8b ff 55 8b ec 8b 45 08 a3 3c a7 40 00 5d c3 8b ff 55 8b ec 81 ec 28 03 00 00 a1 04 90 40 00 33 c5 89 45 fc 53 8b 5d 08 57 83 fb ff 74 07 53 e8 aa fb ff ff 59 83 a5 e0 fc ff ff 00 6a 4c 8d 85 e4 fc ff ff 6a 00 50 e8 28 1a 00
          Data Ascii: u,k@Mk@k@9M}MkW\DE=EuwdSUY]}}tjYSUYttuEG`uEGd3UE4@]UE8@]UE<@]U(@3ES]WtSYjLjP(
          2024-10-31 18:36:48 UTC2INData Raw: 0d 0a
          Data Ascii:
          2024-10-31 18:36:48 UTC8192INData Raw: 32 30 30 30 0d 0a fc ff ff 89 85 e0 fd ff ff 89 8d dc fd ff ff 89 95 d8 fd ff ff 89 9d d4 fd ff ff 89 b5 d0 fd ff ff 89 bd cc fd ff ff 66 8c 95 f8 fd ff ff 66 8c 8d ec fd ff ff 66 8c 9d c8 fd ff ff 66 8c 85 c4 fd ff ff 66 8c a5 c0 fd ff ff 66 8c ad bc fd ff ff 9c 8f 85 f0 fd ff ff 8b 45 04 8d 4d 04 89 8d f4 fd ff ff c7 85 30 fd ff ff 01 00 01 00 89 85 e8 fd ff ff 8b 49 fc 89 8d e4 fd ff ff 8b 4d 0c 89 8d e0 fc ff ff 8b 4d 10 89 8d e4 fc ff ff 89 85 ec fc ff ff ff 15 24 60 40 00 6a 00 8b f8 ff 15 20 60 40 00 8d 85 d8 fc ff ff 50 ff 15 1c 60 40 00 85 c0 75 10 85 ff 75 0c 83 fb ff 74 07 53 e8 b5 fa ff ff 59 8b 4d fc 5f 33 cd 5b e8 89 e3 ff ff c9 c3 8b ff 56 6a 01 be 17 04 00 c0 56 6a 02 e8 c5 fe ff ff 83 c4 0c 56 ff 15 18 60 40 00 50 ff 15 14 60 40 00 5e c3
          Data Ascii: 2000ffffffEM0IMM$`@j `@P`@uutSYM_3[VjVjV`@P`@^
          2024-10-31 18:36:48 UTC6INData Raw: 3e f0 ff ff ff 76
          Data Ascii: >v
          2024-10-31 18:36:48 UTC2INData Raw: 0d 0a
          Data Ascii:
          2024-10-31 18:36:48 UTC8192INData Raw: 32 30 30 30 0d 0a 0c e8 36 f0 ff ff ff 76 10 e8 2e f0 ff ff ff 76 14 e8 26 f0 ff ff ff 76 18 e8 1e f0 ff ff ff 36 e8 17 f0 ff ff ff 76 20 e8 0f f0 ff ff ff 76 24 e8 07 f0 ff ff ff 76 28 e8 ff ef ff ff ff 76 2c e8 f7 ef ff ff ff 76 30 e8 ef ef ff ff ff 76 34 e8 e7 ef ff ff ff 76 1c e8 df ef ff ff ff 76 38 e8 d7 ef ff ff ff 76 3c e8 cf ef ff ff 83 c4 40 ff 76 40 e8 c4 ef ff ff ff 76 44 e8 bc ef ff ff ff 76 48 e8 b4 ef ff ff ff 76 4c e8 ac ef ff ff ff 76 50 e8 a4 ef ff ff ff 76 54 e8 9c ef ff ff ff 76 58 e8 94 ef ff ff ff 76 5c e8 8c ef ff ff ff 76 60 e8 84 ef ff ff ff 76 64 e8 7c ef ff ff ff 76 68 e8 74 ef ff ff ff 76 6c e8 6c ef ff ff ff 76 70 e8 64 ef ff ff ff 76 74 e8 5c ef ff ff ff 76 78 e8 54 ef ff ff ff 76 7c e8 4c ef ff ff 83 c4 40 ff b6 80 00 00 00
          Data Ascii: 20006v.v&v6v v$v(v,v0v4vv8v<@v@vDvHvLvPvTvXv\v`vd|vhtvllvpdvt\vxTv|L@
          2024-10-31 18:36:48 UTC6INData Raw: 82 83 84 85 86 87
          Data Ascii:
          2024-10-31 18:36:48 UTC2INData Raw: 0d 0a
          Data Ascii:
          2024-10-31 18:36:49 UTC8192INData Raw: 32 30 30 30 0d 0a 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00
          Data Ascii: 2000


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          1192.168.2.174970552.149.20.212443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:00 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CzeDGtsYOg6vRMl&MD=fa3XeZZF HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
          Host: slscr.update.microsoft.com
          2024-10-31 18:37:00 UTC560INHTTP/1.1 200 OK
          Cache-Control: no-cache
          Pragma: no-cache
          Content-Type: application/octet-stream
          Expires: -1
          Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
          ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
          MS-CorrelationId: 70fe455d-ca5e-4383-9b77-6510476e4cd7
          MS-RequestId: f9430c74-6871-4dd8-8a29-3d1a58b03224
          MS-CV: Of1BoHp3+UunBcjk.0
          X-Microsoft-SLSClientCache: 2880
          Content-Disposition: attachment; filename=environment.cab
          X-Content-Type-Options: nosniff
          Date: Thu, 31 Oct 2024 18:36:59 GMT
          Connection: close
          Content-Length: 24490
          2024-10-31 18:37:00 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
          Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
          2024-10-31 18:37:00 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
          Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          2192.168.2.1749713184.28.90.27443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:07 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Encoding: identity
          User-Agent: Microsoft BITS/7.8
          Host: fs.microsoft.com
          2024-10-31 18:37:08 UTC467INHTTP/1.1 200 OK
          Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
          Content-Type: application/octet-stream
          ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
          Last-Modified: Tue, 16 May 2017 22:58:00 GMT
          Server: ECAcc (lpl/EF70)
          X-CID: 11
          X-Ms-ApiVersion: Distribute 1.2
          X-Ms-Region: prod-neu-z1
          Cache-Control: public, max-age=166114
          Date: Thu, 31 Oct 2024 18:37:08 GMT
          Connection: close
          X-CID: 2


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          3192.168.2.1749714184.28.90.27443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:09 UTC239OUTGET /fs/windows/config.json HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Encoding: identity
          If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
          Range: bytes=0-2147483646
          User-Agent: Microsoft BITS/7.8
          Host: fs.microsoft.com
          2024-10-31 18:37:09 UTC515INHTTP/1.1 200 OK
          ApiVersion: Distribute 1.1
          Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
          Content-Type: application/octet-stream
          ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
          Last-Modified: Tue, 16 May 2017 22:58:00 GMT
          Server: ECAcc (lpl/EF06)
          X-CID: 11
          X-Ms-ApiVersion: Distribute 1.2
          X-Ms-Region: prod-weu-z1
          Cache-Control: public, max-age=166170
          Date: Thu, 31 Oct 2024 18:37:09 GMT
          Content-Length: 55
          Connection: close
          X-CID: 2
          2024-10-31 18:37:09 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
          Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          4192.168.2.174971552.149.20.212443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:39 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CzeDGtsYOg6vRMl&MD=fa3XeZZF HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
          Host: slscr.update.microsoft.com
          2024-10-31 18:37:39 UTC560INHTTP/1.1 200 OK
          Cache-Control: no-cache
          Pragma: no-cache
          Content-Type: application/octet-stream
          Expires: -1
          Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
          ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
          MS-CorrelationId: 9938ba13-847c-4250-b754-f1c9360a576e
          MS-RequestId: 7e59deaf-bcb8-4206-b550-dec173c65cbc
          MS-CV: tvdvIleOh0upWPkE.0
          X-Microsoft-SLSClientCache: 1440
          Content-Disposition: attachment; filename=environment.cab
          X-Content-Type-Options: nosniff
          Date: Thu, 31 Oct 2024 18:37:38 GMT
          Connection: close
          Content-Length: 30005
          2024-10-31 18:37:39 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
          Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
          2024-10-31 18:37:39 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
          Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          5192.168.2.174971720.190.159.2443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:39 UTC422OUTPOST /RST2.srf HTTP/1.0
          Connection: Keep-Alive
          Content-Type: application/soap+xml
          Accept: */*
          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
          Content-Length: 3592
          Host: login.live.com
          2024-10-31 18:37:39 UTC3592OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
          Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
          2024-10-31 18:37:39 UTC569INHTTP/1.1 200 OK
          Cache-Control: no-store, no-cache
          Pragma: no-cache
          Content-Type: application/soap+xml; charset=utf-8
          Expires: Thu, 31 Oct 2024 18:36:39 GMT
          P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
          Referrer-Policy: strict-origin-when-cross-origin
          x-ms-route-info: C529_BL2
          x-ms-request-id: 05503acc-f1be-4dc1-97ed-b3a31030f23b
          PPServer: PPV: 30 H: BL02EPF0001D948 V: 0
          X-Content-Type-Options: nosniff
          Strict-Transport-Security: max-age=31536000
          X-XSS-Protection: 1; mode=block
          Date: Thu, 31 Oct 2024 18:37:38 GMT
          Connection: close
          Content-Length: 11392
          2024-10-31 18:37:39 UTC11392INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
          Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


          Session IDSource IPSource PortDestination IPDestination Port
          6192.168.2.174971813.107.5.88443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:39 UTC537OUTGET /ab HTTP/1.1
          Host: evoke-windowsservices-tas.msedge.net
          Cache-Control: no-store, no-cache
          X-PHOTOS-CALLERID: 9NMPJ99VJBWV
          X-EVOKE-RING:
          X-WINNEXT-RING: Public
          X-WINNEXT-TELEMETRYLEVEL: Basic
          X-WINNEXT-OSVERSION: 10.0.19045.0
          X-WINNEXT-APPVERSION: 1.23082.131.0
          X-WINNEXT-PLATFORM: Desktop
          X-WINNEXT-CANTAILOR: False
          X-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}
          X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=
          If-None-Match: 2056388360_-1434155563
          Accept-Encoding: gzip, deflate, br
          2024-10-31 18:37:39 UTC209INHTTP/1.1 400 Bad Request
          X-MSEdge-Ref: Ref A: FD37289ACF3844198F9666C5E1FB0C3C Ref B: DFW311000104023 Ref C: 2024-10-31T18:37:39Z
          Date: Thu, 31 Oct 2024 18:37:39 GMT
          Connection: close
          Content-Length: 0


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          7192.168.2.174971920.190.159.2443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:41 UTC422OUTPOST /RST2.srf HTTP/1.0
          Connection: Keep-Alive
          Content-Type: application/soap+xml
          Accept: */*
          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
          Content-Length: 4775
          Host: login.live.com
          2024-10-31 18:37:41 UTC4775OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
          Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
          2024-10-31 18:37:41 UTC569INHTTP/1.1 200 OK
          Cache-Control: no-store, no-cache
          Pragma: no-cache
          Content-Type: application/soap+xml; charset=utf-8
          Expires: Thu, 31 Oct 2024 18:36:41 GMT
          P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
          Referrer-Policy: strict-origin-when-cross-origin
          x-ms-route-info: C529_BL2
          x-ms-request-id: 245297ad-5c19-493d-b08f-14efe7e1f6b3
          PPServer: PPV: 30 H: BL02EPF0001D821 V: 0
          X-Content-Type-Options: nosniff
          Strict-Transport-Security: max-age=31536000
          X-XSS-Protection: 1; mode=block
          Date: Thu, 31 Oct 2024 18:37:41 GMT
          Connection: close
          Content-Length: 11392
          2024-10-31 18:37:41 UTC11392INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
          Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          8192.168.2.174972020.190.159.2443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:43 UTC422OUTPOST /RST2.srf HTTP/1.0
          Connection: Keep-Alive
          Content-Type: application/soap+xml
          Accept: */*
          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
          Content-Length: 4808
          Host: login.live.com
          2024-10-31 18:37:43 UTC4808OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
          Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
          2024-10-31 18:37:43 UTC569INHTTP/1.1 200 OK
          Cache-Control: no-store, no-cache
          Pragma: no-cache
          Content-Type: application/soap+xml; charset=utf-8
          Expires: Thu, 31 Oct 2024 18:36:43 GMT
          P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
          Referrer-Policy: strict-origin-when-cross-origin
          x-ms-route-info: C529_BAY
          x-ms-request-id: 1c2a4ffe-6bfa-4689-944b-15e05c177250
          PPServer: PPV: 30 H: PH1PEPF00011E5A V: 0
          X-Content-Type-Options: nosniff
          Strict-Transport-Security: max-age=31536000
          X-XSS-Protection: 1; mode=block
          Date: Thu, 31 Oct 2024 18:37:42 GMT
          Connection: close
          Content-Length: 11197
          2024-10-31 18:37:43 UTC11197INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
          Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          9192.168.2.17497212.23.209.130443
          TimestampBytes transferredDirectionData
          2024-10-31 18:37:44 UTC2583OUTGET /client/config?cc=CH&setlang=en-CH HTTP/1.1
          X-Search-CortanaAvailableCapabilities: None
          X-Search-SafeSearch: Moderate
          Accept-Encoding: gzip, deflate
          X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}
          X-UserAgeClass: Unknown
          X-BM-Market: CH
          X-BM-DateFormat: dd/MM/yyyy
          X-Device-OSSKU: 48
          X-BM-DTZ: -240
          X-DeviceID: 01000A41090080B6
          X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E
          X-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard Time
          X-BM-Theme: 000000;0078d7
          X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAYmHDDRmyane8Fod1HC8VXZMGkU9AejSY1UyQblmBumTKuDI6Id4zhhGfGxqATtVnXS9XF11agZrpFTVEOSdZZ5YaEAUihSl0mI5E81FkfhXarzD9X7SJPfu4/jzv/zyyLY9g4OGWgy2odicFJBMZTfZV1izEcXJ/3PKNAtkXKhtprxWR0vQ0FkhNBTKPfQPf%2B0R1sRjP%2BQ7DpBCroG5i4%2BGyFg4qbUECwclOiGBBJqp8SZCuzcLoKRxPQTMkGVH5rzKd70EXTXDgP1rM4E4ifYHqWSSe1BW9nWHodlRvbXvEZGHygbPgqA8bfmZSw6xZbSY7kh0ASCkVg92NdodOiIQZgAAEMtbzXvQfnGRIi%2BMUCDFlK2wAZuRy29V6i435W16QOF/czggoermpHBXOuqnJwM3cS858K%2ByO5IjLOmHQr8NmB%2B1mbu6x3hl%2B8PoRRl9V6eXlUT3aZwbFPls%2BUoONip2w/lf1egysn71Y74p6DymO90nDStpkboNPPJvPgbaaJcB8KGXCiXJFaOnSXv33lYqpkaXmmpcpIFeizgjH/Q7YL8yMqLqvEagA/In7Ua/cw7dqlJdAsmBuRLsb8k/JREQmeGlJynLJc2HO4LGdS/viIDctGE7v/PkcLWCFf27Y0vV%2BkKf40sCuPByORubRpI9z1QeCP8wWlt0veIGJZ7pHVZbJkwVtaVcLwpJ6d7eWEMePLr3xa43kroVG7wLAgd/xh0HqW436y1N%2BeoCn6NH1vAjQPVFzgTehzsXiT7AeqNSkpyBdmrpHqI1Ij7%2BXm1AXQ%2BFZWLxiKm2td3GrxoZDIleeFy/UYVZhudeWzlFLZozSUd4VDAPjLBEANZZSM1DTpjE7TyvYdJ6bxi8JVL%2BSFDqhgtJwSsYwcS36IisWHOD0xKO71xoFWWDOME5Uvk8C6rwmIEYeyr [TRUNCATED]
          X-Agent-DeviceId: 01000A41090080B6
          X-BM-CBT: 1730399857
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
          X-Device-isOptin: false
          Accept-language: en-GB, en, en-US
          X-Device-Touch: false
          X-Device-ClientSession: 89D4803490BE43838DD133B3B98DDBB0
          X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
          Host: www.bing.com
          Connection: Keep-Alive
          Cookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
          2024-10-31 18:37:44 UTC1147INHTTP/1.1 200 OK
          Content-Length: 2215
          Content-Type: application/json; charset=utf-8
          Cache-Control: private
          X-EventID: 6723ce78fe944b89b7b8c3323ddcd2fd
          X-AS-SetSessionMarket: de-ch
          UserAgentReductionOptOut: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0=
          X-XSS-Protection: 0
          P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
          Date: Thu, 31 Oct 2024 18:37:44 GMT
          Connection: close
          Set-Cookie: _EDGE_S=SID=23715F3551826EAD09454A1C50596F22&mkt=de-ch; domain=.bing.com; path=/; HttpOnly
          Set-Cookie: ANON=A=84BEA1DAAAB85FA790252CDAFFFFFFFF; domain=.bing.com; expires=Tue, 25-Nov-2025 18:37:44 GMT; path=/; secure; SameSite=None
          Set-Cookie: WLS=C=0000000000000000&N=; domain=.bing.com; path=/; secure; SameSite=None
          Set-Cookie: _SS=SID=23715F3551826EAD09454A1C50596F22; domain=.bing.com; path=/; secure; SameSite=None
          Alt-Svc: h3=":443"; ma=93600
          X-CDN-TraceID: 0.20d01702.1730399864.2619ada
          2024-10-31 18:37:44 UTC2215INData Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 31 2c 22 63 6f 6e 66 69 67 22 3a 7b 22 46 65 61 74 75 72 65 43 6f 6e 66 69 67 22 3a 7b 22 53 65 61 72 63 68 42 6f 78 49 62 65 61 6d 50 6f 69 6e 74 65 72 4f 6e 48 6f 76 65 72 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 68 6f 77 53 65 61 72 63 68 47 6c 79 70 68 4c 65 66 74 4f 66 53 65 61 72 63 68 42 6f 78 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 6f 78 55 73 65 53 65 61 72 63 68 49 63 6f 6e 41 74 52 65 73 74 22 3a 7b 22 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 75 74 74 6f 6e 55 73 65 53 65 61 72 63 68 49 63 6f 6e 22 3a 7b 22 76 61 6c 75 65
          Data Ascii: {"version":1,"config":{"FeatureConfig":{"SearchBoxIbeamPointerOnHover":{"value":true,"feature":""},"ShowSearchGlyphLeftOfSearchBox":{"value":true,"feature":""},"SearchBoxUseSearchIconAtRest":{"value":false,"feature":""},"SearchButtonUseSearchIcon":{"value


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:14:36:43
          Start date:31/10/2024
          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
          Imagebase:0x7ff7d6f10000
          File size:3'242'272 bytes
          MD5 hash:83395EAB5B03DEA9720F8D7AC0D15CAA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:false

          General

          Target ID:1
          Start time:14:36:44
          Start date:31/10/2024
          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
          Imagebase:0x7ff7d6f10000
          File size:3'242'272 bytes
          MD5 hash:83395EAB5B03DEA9720F8D7AC0D15CAA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:false

          General

          Target ID:3
          Start time:14:36:45
          Start date:31/10/2024
          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://amtso.eicar.org/PotentiallyUnwanted.exe"
          Imagebase:0x7ff7d6f10000
          File size:3'242'272 bytes
          MD5 hash:83395EAB5B03DEA9720F8D7AC0D15CAA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:4
          Start time:14:36:47
          Start date:31/10/2024
          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1996,i,9677582239789433466,1390415878745248934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
          Imagebase:0x7ff7d6f10000
          File size:3'242'272 bytes
          MD5 hash:83395EAB5B03DEA9720F8D7AC0D15CAA
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:7
          Start time:14:36:57
          Start date:31/10/2024
          Path:C:\Users\user\Downloads\PotentiallyUnwanted.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Downloads\PotentiallyUnwanted.exe"
          Imagebase:0xa00000
          File size:33'282 bytes
          MD5 hash:1AC020D35BE34D812D628AF0A5BF29B1
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:23
          Start time:14:37:57
          Start date:31/10/2024
          Path:C:\Windows\System32\Taskmgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\taskmgr.exe" /0
          Imagebase:0x7ff6f3f20000
          File size:1'213'232 bytes
          MD5 hash:58D5BC7895F7F32EE308E34F06F25DD5
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:26
          Start time:14:37:57
          Start date:31/10/2024
          Path:C:\Windows\System32\Taskmgr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\taskmgr.exe" /0
          Imagebase:0x7ff6d3ce0000
          File size:1'213'232 bytes
          MD5 hash:58D5BC7895F7F32EE308E34F06F25DD5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          Disassembly

          No disassembly