Edit tour

Windows Analysis Report
http://10.00.56.00&d=DwQFaQ

Overview

General Information

Sample URL:	http://10.00.56.00&d=DwQFaQ
Analysis ID:	1426761
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6944 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2208,i,7639646435292787510,15926903096463883303,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6688 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://10.00.56.00&d=DwQFaQ" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: unknown

DNS traffic detected: queries for: google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.36.68.63:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.36.68.63:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49734 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@20/0@4/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2208,i,7639646435292787510,15926903096463883303,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://10.00.56.00&d=DwQFaQ"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2208,i,7639646435292787510,15926903096463883303,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
google.com	142.250.217.174	true	false	high
www.google.com	142.250.105.99	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.105.99	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.17
192.168.2.18
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1426761
Start date and time:	2024-04-16 15:31:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://10.00.56.00&d=DwQFaQ
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@20/0@4/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 74.125.138.94, 172.253.124.113, 172.253.124.139, 172.253.124.102, 172.253.124.100, 172.253.124.101, 172.253.124.138, 64.233.176.84, 34.104.35.123, 40.127.169.103, 192.229.211.108, 23.40.205.34, 23.40.205.73, 23.40.205.8, 23.40.205.49, 23.40.205.26, 23.40.205.35, 23.40.205.65, 23.40.205.48, 20.242.39.171, 23.76.32.107, 108.177.122.94, 199.232.214.172
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, clientservices.googleapis.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, e15275.g.akamaiedge.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, update.googleapis.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 15:32:42.725600958 CEST	49673	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:32:42.727906942 CEST	49674	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:32:42.928749084 CEST	49672	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:32:50.555548906 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:32:50.555592060 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:32:50.555676937 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:32:50.555903912 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:32:50.555915117 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:32:50.778702974 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:32:50.779036999 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:32:50.779061079 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:32:50.780750036 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:32:50.780848026 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:32:50.782428980 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:32:50.782546997 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:32:50.833369017 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:32:50.833396912 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:32:50.880218983 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:32:50.985450983 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:50.985485077 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:50.985562086 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:50.986285925 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:50.986294985 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:51.375796080 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:51.375869036 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:51.391983032 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:51.392007113 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:51.392513990 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:51.400713921 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:51.400870085 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:51.400875092 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:51.401283026 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:51.448107004 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:51.534488916 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:51.534593105 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:51.534643888 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:51.535120964 CEST	49719	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:51.535131931 CEST	443	49719	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:52.333394051 CEST	49674	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:32:52.333398104 CEST	49673	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:32:52.536542892 CEST	49672	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:32:52.677647114 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:52.677697897 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:52.677812099 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:52.680392027 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:52.680413008 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:52.905744076 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:52.906236887 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:52.910140991 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:52.910181046 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:52.910516024 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:52.958403111 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:52.972932100 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.020109892 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.108139992 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.108223915 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.108669043 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.108901024 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.108901024 CEST	49720	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.108922005 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.108931065 CEST	443	49720	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.160293102 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.160337925 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.161647081 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.161647081 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.161679983 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.375550032 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.375663042 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.377521992 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.377537966 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.377937078 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.379730940 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.420119047 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.587662935 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.587801933 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.587877989 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.588618040 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.588644981 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.588671923 CEST	49721	443	192.168.2.6	23.36.68.63
Apr 16, 2024 15:32:53.588685989 CEST	443	49721	23.36.68.63	192.168.2.6
Apr 16, 2024 15:32:53.901824951 CEST	443	49707	173.222.162.64	192.168.2.6
Apr 16, 2024 15:32:53.901909113 CEST	49707	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:32:58.259123087 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:58.259180069 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:58.259242058 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:58.260267973 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:58.260305882 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:58.636605978 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:58.636753082 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:59.043509960 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:59.043543100 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:59.043899059 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:59.080957890 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:59.081150055 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:59.081156969 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:59.081362963 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:59.124131918 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:59.204180956 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:59.204283953 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:32:59.204348087 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:59.474241972 CEST	49722	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:32:59.474289894 CEST	443	49722	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:00.797748089 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:00.797820091 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:00.797903061 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:33:01.901599884 CEST	49718	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:33:01.901638031 CEST	443	49718	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:05.489048004 CEST	49707	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:33:05.489146948 CEST	49707	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:33:05.489542007 CEST	49727	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:33:05.489594936 CEST	443	49727	173.222.162.64	192.168.2.6
Apr 16, 2024 15:33:05.489666939 CEST	49727	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:33:05.489950895 CEST	49727	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:33:05.489970922 CEST	443	49727	173.222.162.64	192.168.2.6
Apr 16, 2024 15:33:05.641035080 CEST	443	49707	173.222.162.64	192.168.2.6
Apr 16, 2024 15:33:05.641047955 CEST	443	49707	173.222.162.64	192.168.2.6
Apr 16, 2024 15:33:05.804349899 CEST	443	49727	173.222.162.64	192.168.2.6
Apr 16, 2024 15:33:05.804501057 CEST	49727	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:33:11.104720116 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.104760885 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.104937077 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.106311083 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.106343031 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.480025053 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.480096102 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.491877079 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.491894960 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.492150068 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.506519079 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.506742001 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.506747007 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.507040024 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.552108049 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.629043102 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.629264116 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:11.629328012 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.629565001 CEST	49728	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:11.629587889 CEST	443	49728	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:24.950647116 CEST	443	49727	173.222.162.64	192.168.2.6
Apr 16, 2024 15:33:24.950711966 CEST	49727	443	192.168.2.6	173.222.162.64
Apr 16, 2024 15:33:28.999030113 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:28.999088049 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:28.999154091 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.000646114 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.000660896 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:29.385711908 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:29.385802031 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.388191938 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.388205051 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:29.388987064 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:29.391242027 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.391324043 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.391330957 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:29.391613007 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.432126999 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:29.530603886 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:29.530822992 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:29.530989885 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.531110048 CEST	49730	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:29.531131029 CEST	443	49730	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:50.506439924 CEST	49733	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:33:50.506498098 CEST	443	49733	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:50.506580114 CEST	49733	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:33:50.507311106 CEST	49733	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:33:50.507333040 CEST	443	49733	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:50.721019030 CEST	443	49733	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:50.721337080 CEST	49733	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:33:50.721379042 CEST	443	49733	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:50.721721888 CEST	443	49733	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:50.722064972 CEST	49733	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:33:50.722131968 CEST	443	49733	142.250.105.99	192.168.2.6
Apr 16, 2024 15:33:50.764767885 CEST	49733	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:33:50.982038021 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:50.982100010 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:50.982198000 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:50.982907057 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:50.982953072 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.354837894 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.354962111 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:51.356751919 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:51.356774092 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.357016087 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.359141111 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:51.359426022 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:51.359426022 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:51.359437943 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.404124975 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.482546091 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.482628107 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.483159065 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:51.483649969 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:33:51.483679056 CEST	443	49734	52.159.127.243	192.168.2.6
Apr 16, 2024 15:33:51.483691931 CEST	49734	443	192.168.2.6	52.159.127.243
Apr 16, 2024 15:34:00.722716093 CEST	443	49733	142.250.105.99	192.168.2.6
Apr 16, 2024 15:34:00.722791910 CEST	443	49733	142.250.105.99	192.168.2.6
Apr 16, 2024 15:34:00.722954988 CEST	49733	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:34:01.902026892 CEST	49733	443	192.168.2.6	142.250.105.99
Apr 16, 2024 15:34:01.902076006 CEST	443	49733	142.250.105.99	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 15:32:47.834343910 CEST	53	61163	1.1.1.1	192.168.2.6
Apr 16, 2024 15:32:47.841298103 CEST	53	54861	1.1.1.1	192.168.2.6
Apr 16, 2024 15:32:48.441298962 CEST	53	55934	1.1.1.1	192.168.2.6
Apr 16, 2024 15:32:48.816349030 CEST	62392	53	192.168.2.6	8.8.8.8
Apr 16, 2024 15:32:48.816608906 CEST	54424	53	192.168.2.6	1.1.1.1
Apr 16, 2024 15:32:48.921263933 CEST	53	62392	8.8.8.8	192.168.2.6
Apr 16, 2024 15:32:48.921293020 CEST	53	54424	1.1.1.1	192.168.2.6
Apr 16, 2024 15:32:50.443941116 CEST	63588	53	192.168.2.6	1.1.1.1
Apr 16, 2024 15:32:50.444022894 CEST	57665	53	192.168.2.6	1.1.1.1
Apr 16, 2024 15:32:50.554081917 CEST	53	63588	1.1.1.1	192.168.2.6
Apr 16, 2024 15:32:50.554552078 CEST	53	57665	1.1.1.1	192.168.2.6
Apr 16, 2024 15:33:06.033849955 CEST	53	53443	1.1.1.1	192.168.2.6
Apr 16, 2024 15:33:24.877171993 CEST	53	58832	1.1.1.1	192.168.2.6
Apr 16, 2024 15:33:46.879272938 CEST	53	55148	1.1.1.1	192.168.2.6
Apr 16, 2024 15:33:47.480848074 CEST	53	54089	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 16, 2024 15:32:48.816349030 CEST	192.168.2.6	8.8.8.8	0x2344	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:48.816608906 CEST	192.168.2.6	1.1.1.1	0xa7b6	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.443941116 CEST	192.168.2.6	1.1.1.1	0xad27	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.444022894 CEST	192.168.2.6	1.1.1.1	0xad36	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 16, 2024 15:32:48.921263933 CEST	8.8.8.8	192.168.2.6	0x2344	No error (0)	google.com		142.250.217.174	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:48.921293020 CEST	1.1.1.1	192.168.2.6	0xa7b6	No error (0)	google.com		74.125.136.113	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:48.921293020 CEST	1.1.1.1	192.168.2.6	0xa7b6	No error (0)	google.com		74.125.136.101	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:48.921293020 CEST	1.1.1.1	192.168.2.6	0xa7b6	No error (0)	google.com		74.125.136.102	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:48.921293020 CEST	1.1.1.1	192.168.2.6	0xa7b6	No error (0)	google.com		74.125.136.139	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:48.921293020 CEST	1.1.1.1	192.168.2.6	0xa7b6	No error (0)	google.com		74.125.136.138	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:48.921293020 CEST	1.1.1.1	192.168.2.6	0xa7b6	No error (0)	google.com		74.125.136.100	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.554081917 CEST	1.1.1.1	192.168.2.6	0xad27	No error (0)	www.google.com		142.250.105.99	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.554081917 CEST	1.1.1.1	192.168.2.6	0xad27	No error (0)	www.google.com		142.250.105.106	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.554081917 CEST	1.1.1.1	192.168.2.6	0xad27	No error (0)	www.google.com		142.250.105.104	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.554081917 CEST	1.1.1.1	192.168.2.6	0xad27	No error (0)	www.google.com		142.250.105.147	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.554081917 CEST	1.1.1.1	192.168.2.6	0xad27	No error (0)	www.google.com		142.250.105.103	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.554081917 CEST	1.1.1.1	192.168.2.6	0xad27	No error (0)	www.google.com		142.250.105.105	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:32:50.554552078 CEST	1.1.1.1	192.168.2.6	0xad36	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 16, 2024 15:33:03.598305941 CEST	1.1.1.1	192.168.2.6	0xacaa	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 15:33:03.598305941 CEST	1.1.1.1	192.168.2.6	0xacaa	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:34:04.715873003 CEST	1.1.1.1	192.168.2.6	0x52ec	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 16, 2024 15:34:04.715873003 CEST	1.1.1.1	192.168.2.6	0x52ec	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49719	52.159.127.243	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 13:32:51 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 62 69 4f 41 6d 73 52 70 6a 45 69 51 39 61 47 77 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 31 36 38 39 38 38 31 38 37 35 62 61 61 31 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: biOAmsRpjEiQ9aGw.1Context: 31689881875baa1b
2024-04-16 13:32:51 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-16 13:32:51 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 62 69 4f 41 6d 73 52 70 6a 45 69 51 39 61 47 77 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 31 36 38 39 38 38 31 38 37 35 62 61 61 31 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 56 53 73 34 57 76 44 52 30 44 73 41 42 5a 41 53 4f 7a 4b 32 2b 4e 55 6e 68 6c 73 54 61 31 47 76 71 4a 61 46 47 31 50 54 34 72 2b 59 39 6e 45 53 77 32 6d 4d 78 7a 4f 4c 45 32 6d 32 57 2f 57 76 70 52 32 61 46 32 4c 61 47 47 6d 34 63 46 7a 54 78 6a 2b 46 75 63 73 76 32 5a 71 51 2f 4c 69 52 70 6f 69 52 37 71 50 67 74 44 42 54 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: biOAmsRpjEiQ9aGw.2Context: 31689881875baa1b<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAaVSs4WvDR0DsABZASOzK2+NUnhlsTa1GvqJaFG1PT4r+Y9nESw2mMxzOLE2m2W/WvpR2aF2LaGGm4cFzTxj+Fucsv2ZqQ/LiRpoiR7qPgtDBT
2024-04-16 13:32:51 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 62 69 4f 41 6d 73 52 70 6a 45 69 51 39 61 47 77 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 31 36 38 39 38 38 31 38 37 35 62 61 61 31 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: biOAmsRpjEiQ9aGw.3Context: 31689881875baa1b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-16 13:32:51 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-16 13:32:51 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 66 44 34 38 71 71 6c 71 53 6b 36 65 72 35 31 38 52 6e 2b 64 42 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: fD48qqlqSk6er518Rn+dBw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49720	23.36.68.63	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 13:32:52 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-16 13:32:53 UTC	436	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (dcd/7D15) X-CID: 11 Cache-Control: public, max-age=149374 Date: Tue, 16 Apr 2024 13:32:53 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49721	23.36.68.63	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 13:32:53 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-16 13:32:53 UTC	456	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (dcd/7D15) X-CID: 11 Cache-Control: public, max-age=149374 Date: Tue, 16 Apr 2024 13:32:53 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-16 13:32:53 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	49722	52.159.127.243	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 13:32:59 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 69 6e 52 32 47 32 47 34 57 45 36 58 4e 62 44 79 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 33 63 30 37 64 36 35 35 65 62 36 32 32 30 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: inR2G2G4WE6XNbDy.1Context: 53c07d655eb62208
2024-04-16 13:32:59 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-16 13:32:59 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 69 6e 52 32 47 32 47 34 57 45 36 58 4e 62 44 79 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 33 63 30 37 64 36 35 35 65 62 36 32 32 30 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 56 53 73 34 57 76 44 52 30 44 73 41 42 5a 41 53 4f 7a 4b 32 2b 4e 55 6e 68 6c 73 54 61 31 47 76 71 4a 61 46 47 31 50 54 34 72 2b 59 39 6e 45 53 77 32 6d 4d 78 7a 4f 4c 45 32 6d 32 57 2f 57 76 70 52 32 61 46 32 4c 61 47 47 6d 34 63 46 7a 54 78 6a 2b 46 75 63 73 76 32 5a 71 51 2f 4c 69 52 70 6f 69 52 37 71 50 67 74 44 42 54 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: inR2G2G4WE6XNbDy.2Context: 53c07d655eb62208<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAaVSs4WvDR0DsABZASOzK2+NUnhlsTa1GvqJaFG1PT4r+Y9nESw2mMxzOLE2m2W/WvpR2aF2LaGGm4cFzTxj+Fucsv2ZqQ/LiRpoiR7qPgtDBT
2024-04-16 13:32:59 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 69 6e 52 32 47 32 47 34 57 45 36 58 4e 62 44 79 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 33 63 30 37 64 36 35 35 65 62 36 32 32 30 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: inR2G2G4WE6XNbDy.3Context: 53c07d655eb62208<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-16 13:32:59 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-16 13:32:59 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 52 6d 35 69 4e 6f 50 46 2b 45 61 38 6b 4c 63 30 7a 50 65 69 46 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Rm5iNoPF+Ea8kLc0zPeiFw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	49728	52.159.127.243	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 13:33:11 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 36 41 37 6d 35 2b 62 6d 6a 30 36 54 52 4e 62 45 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 36 34 64 39 32 62 35 62 33 34 36 35 34 36 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 6A7m5+bmj06TRNbE.1Context: 364d92b5b346546e
2024-04-16 13:33:11 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-16 13:33:11 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 36 41 37 6d 35 2b 62 6d 6a 30 36 54 52 4e 62 45 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 36 34 64 39 32 62 35 62 33 34 36 35 34 36 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 56 53 73 34 57 76 44 52 30 44 73 41 42 5a 41 53 4f 7a 4b 32 2b 4e 55 6e 68 6c 73 54 61 31 47 76 71 4a 61 46 47 31 50 54 34 72 2b 59 39 6e 45 53 77 32 6d 4d 78 7a 4f 4c 45 32 6d 32 57 2f 57 76 70 52 32 61 46 32 4c 61 47 47 6d 34 63 46 7a 54 78 6a 2b 46 75 63 73 76 32 5a 71 51 2f 4c 69 52 70 6f 69 52 37 71 50 67 74 44 42 54 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: 6A7m5+bmj06TRNbE.2Context: 364d92b5b346546e<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAaVSs4WvDR0DsABZASOzK2+NUnhlsTa1GvqJaFG1PT4r+Y9nESw2mMxzOLE2m2W/WvpR2aF2LaGGm4cFzTxj+Fucsv2ZqQ/LiRpoiR7qPgtDBT
2024-04-16 13:33:11 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 36 41 37 6d 35 2b 62 6d 6a 30 36 54 52 4e 62 45 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 36 34 64 39 32 62 35 62 33 34 36 35 34 36 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 6A7m5+bmj06TRNbE.3Context: 364d92b5b346546e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-16 13:33:11 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-16 13:33:11 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 39 6a 75 56 5a 52 4c 6c 72 45 4f 2f 46 43 6d 6a 4f 33 31 70 69 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 9juVZRLlrEO/FCmjO31piA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	49730	52.159.127.243	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 13:33:29 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 57 58 68 41 6c 63 58 66 46 45 43 51 47 53 45 48 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 31 31 64 38 32 62 33 65 30 33 62 32 36 64 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: WXhAlcXfFECQGSEH.1Context: 1711d82b3e03b26d
2024-04-16 13:33:29 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-16 13:33:29 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 57 58 68 41 6c 63 58 66 46 45 43 51 47 53 45 48 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 31 31 64 38 32 62 33 65 30 33 62 32 36 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 56 53 73 34 57 76 44 52 30 44 73 41 42 5a 41 53 4f 7a 4b 32 2b 4e 55 6e 68 6c 73 54 61 31 47 76 71 4a 61 46 47 31 50 54 34 72 2b 59 39 6e 45 53 77 32 6d 4d 78 7a 4f 4c 45 32 6d 32 57 2f 57 76 70 52 32 61 46 32 4c 61 47 47 6d 34 63 46 7a 54 78 6a 2b 46 75 63 73 76 32 5a 71 51 2f 4c 69 52 70 6f 69 52 37 71 50 67 74 44 42 54 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: WXhAlcXfFECQGSEH.2Context: 1711d82b3e03b26d<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAaVSs4WvDR0DsABZASOzK2+NUnhlsTa1GvqJaFG1PT4r+Y9nESw2mMxzOLE2m2W/WvpR2aF2LaGGm4cFzTxj+Fucsv2ZqQ/LiRpoiR7qPgtDBT
2024-04-16 13:33:29 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 57 58 68 41 6c 63 58 66 46 45 43 51 47 53 45 48 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 31 31 64 38 32 62 33 65 30 33 62 32 36 64 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: WXhAlcXfFECQGSEH.3Context: 1711d82b3e03b26d<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-16 13:33:29 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-16 13:33:29 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 70 4c 63 65 79 48 52 52 4a 45 53 52 75 6f 6b 59 57 32 64 71 7a 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: pLceyHRRJESRuokYW2dqzg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.6	49734	52.159.127.243	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 13:33:51 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4b 72 34 6a 2b 6f 6b 78 59 6b 57 34 31 4f 49 6a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 61 32 32 30 33 39 35 65 32 63 39 65 65 39 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: Kr4j+okxYkW41OIj.1Context: ca220395e2c9ee95
2024-04-16 13:33:51 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-16 13:33:51 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 4b 72 34 6a 2b 6f 6b 78 59 6b 57 34 31 4f 49 6a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 61 32 32 30 33 39 35 65 32 63 39 65 65 39 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 56 53 73 34 57 76 44 52 30 44 73 41 42 5a 41 53 4f 7a 4b 32 2b 4e 55 6e 68 6c 73 54 61 31 47 76 71 4a 61 46 47 31 50 54 34 72 2b 59 39 6e 45 53 77 32 6d 4d 78 7a 4f 4c 45 32 6d 32 57 2f 57 76 70 52 32 61 46 32 4c 61 47 47 6d 34 63 46 7a 54 78 6a 2b 46 75 63 73 76 32 5a 71 51 2f 4c 69 52 70 6f 69 52 37 71 50 67 74 44 42 54 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: Kr4j+okxYkW41OIj.2Context: ca220395e2c9ee95<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAaVSs4WvDR0DsABZASOzK2+NUnhlsTa1GvqJaFG1PT4r+Y9nESw2mMxzOLE2m2W/WvpR2aF2LaGGm4cFzTxj+Fucsv2ZqQ/LiRpoiR7qPgtDBT
2024-04-16 13:33:51 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4b 72 34 6a 2b 6f 6b 78 59 6b 57 34 31 4f 49 6a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 61 32 32 30 33 39 35 65 32 63 39 65 65 39 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: Kr4j+okxYkW41OIj.3Context: ca220395e2c9ee95<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-16 13:33:51 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-16 13:33:51 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 36 52 46 43 7a 55 62 36 45 6b 53 6b 58 45 57 44 73 68 6c 34 41 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 6RFCzUb6EkSkXEWDshl4AQ.0Payload parsing failed.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 6944, Parent PID: 1012

General

Target ID:	0
Start time:	15:32:42
Start date:	16/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4160, Parent PID: 6944

General

Target ID:	2
Start time:	15:32:45
Start date:	16/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2208,i,7639646435292787510,15926903096463883303,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6688, Parent PID: 1012

General

Target ID:	3
Start time:	15:32:48
Start date:	16/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://10.00.56.00&d=DwQFaQ"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://10.00.56.00&d=DwQFaQ

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6944, Parent PID: 1012

General

Chronological Activities

Analysis Process: chrome.exePID: 4160, Parent PID: 6944

General

Chronological Activities

Analysis Process: chrome.exePID: 6688, Parent PID: 1012

General

Chronological Activities

Disassembly

Windows Analysis Report
http://10.00.56.00&d=DwQFaQ