Edit tour

Windows Analysis Report
https://email.notifications.joinhandshake.com

Overview

General Information

Sample URL:	https://email.notifications.joinhandshake.com
Analysis ID:	1427116
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3876 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5592 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2208,i,12677839712697542642,1752873811518202268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2972 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://email.notifications.joinhandshake.com" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://email.notifications.joinhandshake.com/

HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: email.notifications.joinhandshake.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: email.notifications.joinhandshake.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://email.notifications.joinhandshake.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: unknown

DNS traffic detected: queries for: email.notifications.joinhandshake.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713313415986&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 19Content-Type: text/plain; charset=utf-8Date: Wed, 17 Apr 2024 00:23:52 GMTX-Content-Type-Options: nosniffConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 19Content-Type: text/plain; charset=utf-8Date: Wed, 17 Apr 2024 00:23:52 GMTX-Content-Type-Options: nosniffConnection: close

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@16/10@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2208,i,12677839712697542642,1752873811518202268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://email.notifications.joinhandshake.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2208,i,12677839712697542642,1752873811518202268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://email.notifications.joinhandshake.com	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
www.google.com	64.233.177.147	true	false	high
mailgun.org	34.102.239.211	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown
windowsupdatebg.s.llnwi.net	69.164.42.0	true	false	unknown
email.notifications.joinhandshake.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://email.notifications.joinhandshake.com/	false		high
https://email.notifications.joinhandshake.com/favicon.ico	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
64.233.177.147	www.google.com	United States	15169	GOOGLEUS	false
34.102.239.211	mailgun.org	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427116
Start date and time:	2024-04-17 02:23:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://email.notifications.joinhandshake.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@16/10@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 173.194.219.94, 64.233.176.139, 64.233.176.101, 64.233.176.102, 64.233.176.113, 64.233.176.100, 64.233.176.138, 173.194.219.84, 34.104.35.123, 40.68.123.157, 23.11.230.208, 192.229.211.108, 69.164.42.0, 20.166.126.56, 72.21.81.240, 52.165.164.15, 172.217.215.94, 104.104.244.41, 104.104.244.185
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 23:23:52 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.986631652228488
Encrypted:	false
SSDEEP:	48:8sdWTSiSHOidAKZdA19ehwiZUklqehN5y+3:85jf05y
MD5:	2D682805EF9329383291407CA44166D5
SHA1:	A7A70014188E2B80646BAFF835809CBE09706A37
SHA-256:	EE7640A75BBB8F3CBDAFC40D95DDC7BA4DF6C4D6547C516C05EEAAD94AF15566
SHA-512:	7B9132B1B27BB2501B61F82A2F40D94ECF6835BEF776F1D007DF5033D9658C6CD4A6127A312FB959303F4AC3A4325AC4D7CD563AB454D3F1C3F10ADB36E02BB0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....zOI.]...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............zv.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 23:23:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.001438856454961
Encrypted:	false
SSDEEP:	48:8odWTSiSHOidAKZdA1weh/iZUkAQkqehk5y+2:8Fjl9Q35y
MD5:	F2ECF8F38BCA7079E91867973594FE99
SHA1:	118094ADCA67F050F1273DB7D9EC4375A29FB999
SHA-256:	E578D0402DBF3FB8421CAB2146AB46017EC5FBEFF456FF48129DFA5D11F78C5C
SHA-512:	6E3A99C3CFBB097135D21CE88CDE0D999E8D24FBF55755F1AB60588492820FAB7CDEE200894BCDDA36F37C47417B68778436524B81BAE49D877C1380080293D0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....H:.]...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............zv.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.010540247061672
Encrypted:	false
SSDEEP:	48:8x7dWTSisHOidAKZdA14tseh7sFiZUkmgqeh7sW5y+BX:8xwj7n45y
MD5:	2BB565E0710B5A6165F30F3204643E68
SHA1:	CF929BB62B5B19CAE5F569763645BAD1265511A7
SHA-256:	853BB19336D2DEC691E9C59C4EE06BBF4EBC4B8574DD6520DDDC0B3F960BC35F
SHA-512:	4B3A344A93EC8C936D1EEE11459C9FD32400F3813DB9ACF4E3530BC6D125323844BEE4BEA277ACCC7248199EEDD5B4A12484DCF7FEA062EBF130757251A60D00
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............zv.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 23:23:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.999680959765229
Encrypted:	false
SSDEEP:	48:8GPdWTSiSHOidAKZdA1vehDiZUkwqehA5y+R:8GUjme5y
MD5:	332E4DF4CAAD4EDA236BF9C16BD7B10D
SHA1:	443019E20F4E8C7F6B231B2A518756EF590602CB
SHA-256:	65834D8E75CA9142FAC448B4F09B935C055A507BB07E4A1104C9BBAE804F9BF9
SHA-512:	1F6AEBF4FDBA74DD466F34CBDFB3C7C02B939364E5FD895304210BB900F31FAE126D2B76D87F441C737D70660A92756ECC4F98333BA91A2A9D88B3F0A924785F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,..... 3.]...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............zv.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 23:23:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9885377673571782
Encrypted:	false
SSDEEP:	48:8GdWTSiSHOidAKZdA1hehBiZUk1W1qeh65y+C:8Pjm9a5y
MD5:	E65E087229DCA5EF10714B6BB08B99C6
SHA1:	0965C12B08135179DDC741C8AE6D4C08280C840F
SHA-256:	9044A764B0687F3946BEA93522F9898EF10662437C559AB19D681B34F994061C
SHA-512:	10B1D0810E6B7CA2BE59658C83445BDC383E7A276D88F91E91034B40626DA7E79A49C703E1B36AD20B25F93AE2787B0C288547C07E1221176A26B00BC908A097
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....nA.]...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............zv.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 23:23:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.00296019014355
Encrypted:	false
SSDEEP:	48:8+dWTSiSHOidAKZdA1duT+ehOuTbbiZUk5OjqehOuTb45y+yT+:83j4T/TbxWOvTb45y7T
MD5:	AFFFF85F9232679F93157AFF8D8C41D3
SHA1:	6FEDB45D3FB491D610CEB3570579D83E50591179
SHA-256:	D7B1B3511469B840038073EF064AD5ABCBEC2D57034E5644C4371C7B5D9EE164
SHA-512:	7BF6384EE8097438360B7306C8BE6750B2EEDE02BAE9B2D7C5FE0749BB7F5414F1EA6897B97C0CC7084CE065F72C497737B97F610CFDC185C67835838D9C463B
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......).]...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............zv.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 57

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	19
Entropy (8bit):	3.6818808028034042
Encrypted:	false
SSDEEP:	3:uZuUeZn:u5eZn
MD5:	595E88012A6521AAE3E12CBEBE76EB9E
SHA1:	DA3968197E7BF67AA45A77515B52BA2710C5FC34
SHA-256:	B16E15764B8BC06C5C3F9F19BC8B99FA48E7894AA5A6CCDAD65DA49BBF564793
SHA-512:	FD13C580D15CC5E8B87D97EAD633209930E00E85C113C776088E246B47F140EFE99BDF6AB02070677445DB65410F7E62EC23C71182F9F78E9D0E1B9F7FDA0DC3
Malicious:	false
Reputation:	low
URL:	https://email.notifications.joinhandshake.com/favicon.ico
Preview:	404 page not found.

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	19
Entropy (8bit):	3.6818808028034042
Encrypted:	false
SSDEEP:	3:uZuUeZn:u5eZn
MD5:	595E88012A6521AAE3E12CBEBE76EB9E
SHA1:	DA3968197E7BF67AA45A77515B52BA2710C5FC34
SHA-256:	B16E15764B8BC06C5C3F9F19BC8B99FA48E7894AA5A6CCDAD65DA49BBF564793
SHA-512:	FD13C580D15CC5E8B87D97EAD633209930E00E85C113C776088E246B47F140EFE99BDF6AB02070677445DB65410F7E62EC23C71182F9F78E9D0E1B9F7FDA0DC3
Malicious:	false
Reputation:	low
URL:	https://email.notifications.joinhandshake.com/
Preview:	404 page not found.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 02:23:46.189404011 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:23:46.189523935 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:23:46.283160925 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:23:51.759285927 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:51.759354115 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:51.759463072 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:51.760499001 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:51.760576010 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:51.760608912 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:51.760641098 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:51.760658979 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:51.760865927 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:51.760891914 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.043442965 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.043735027 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.043765068 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.044552088 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.044616938 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.046022892 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.048535109 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.048592091 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.049045086 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.049237967 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.049248934 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.049282074 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.050267935 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.050345898 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.051290989 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.051386118 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.232022047 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.232059956 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.232374907 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.232434988 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.303284883 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.303361893 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.304286957 CEST	49709	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.304305077 CEST	443	49709	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.332484961 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.355705023 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.400114059 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.518148899 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.518249035 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:52.518428087 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.519187927 CEST	49710	443	192.168.2.5	34.102.239.211
Apr 17, 2024 02:23:52.519228935 CEST	443	49710	34.102.239.211	192.168.2.5
Apr 17, 2024 02:23:54.925474882 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:23:54.925525904 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:23:54.925586939 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:23:54.926119089 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:23:54.926136971 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:23:55.155647039 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:23:55.173259974 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:23:55.173291922 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:23:55.177174091 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:23:55.177253962 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:23:55.209815979 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:23:55.210012913 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:23:55.261099100 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:23:55.261121035 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:23:55.307969093 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:23:55.580178022 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:55.580267906 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:55.580358028 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:55.582410097 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:55.582448959 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:55.792361975 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:23:55.792367935 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:23:55.808120966 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:55.808260918 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:55.818474054 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:55.818507910 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:55.819289923 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:55.870471954 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:55.886117935 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:23:55.920061111 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:55.964117050 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.026052952 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.026209116 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.026276112 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.026340961 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.026380062 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.026415110 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.026447058 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.063386917 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.063424110 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.063514948 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.064327002 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.064349890 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.281802893 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.282000065 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.284718990 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.284730911 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.285051107 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.287734032 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.332113028 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.507947922 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.508198977 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.508310080 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.509654045 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.509671926 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:56.509702921 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 02:23:56.509710073 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 02:23:57.251120090 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 17, 2024 02:23:57.251240015 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:05.229247093 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:05.229320049 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:05.229659081 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:24:05.269193888 CEST	49714	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:24:05.269207954 CEST	443	49714	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:07.516767025 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.516907930 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.519284010 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.519336939 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:07.519722939 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.525012970 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.525034904 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:07.670512915 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:07.670625925 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:07.867880106 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:07.867944956 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.997220039 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.997241974 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:07.998327017 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:07.998395920 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.999111891 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.999170065 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:07.999536037 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:07.999545097 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:08.226541996 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:08.226609945 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:08.226624012 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:08.226664066 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:08.226706982 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:08.226751089 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:08.259275913 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:08.259285927 CEST	443	49721	23.1.237.91	192.168.2.5
Apr 17, 2024 02:24:08.259298086 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:08.259331942 CEST	49721	443	192.168.2.5	23.1.237.91
Apr 17, 2024 02:24:54.903661013 CEST	49726	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:24:54.903713942 CEST	443	49726	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:54.903783083 CEST	49726	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:24:54.904093027 CEST	49726	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:24:54.904110909 CEST	443	49726	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:55.130204916 CEST	443	49726	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:55.133493900 CEST	49726	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:24:55.133510113 CEST	443	49726	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:55.134604931 CEST	443	49726	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:55.135629892 CEST	49726	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:24:55.135802984 CEST	443	49726	64.233.177.147	192.168.2.5
Apr 17, 2024 02:24:55.183424950 CEST	49726	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:25:05.177584887 CEST	443	49726	64.233.177.147	192.168.2.5
Apr 17, 2024 02:25:05.177676916 CEST	443	49726	64.233.177.147	192.168.2.5
Apr 17, 2024 02:25:05.177723885 CEST	49726	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:25:07.255275965 CEST	49726	443	192.168.2.5	64.233.177.147
Apr 17, 2024 02:25:07.255300999 CEST	443	49726	64.233.177.147	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 02:23:50.626115084 CEST	53	55290	1.1.1.1	192.168.2.5
Apr 17, 2024 02:23:50.686306000 CEST	53	55025	1.1.1.1	192.168.2.5
Apr 17, 2024 02:23:51.282171011 CEST	53	60874	1.1.1.1	192.168.2.5
Apr 17, 2024 02:23:51.625190020 CEST	53986	53	192.168.2.5	1.1.1.1
Apr 17, 2024 02:23:51.625300884 CEST	56172	53	192.168.2.5	1.1.1.1
Apr 17, 2024 02:23:51.731483936 CEST	53	53986	1.1.1.1	192.168.2.5
Apr 17, 2024 02:23:51.748600960 CEST	53	56172	1.1.1.1	192.168.2.5
Apr 17, 2024 02:23:54.817447901 CEST	53495	53	192.168.2.5	1.1.1.1
Apr 17, 2024 02:23:54.818205118 CEST	56543	53	192.168.2.5	1.1.1.1
Apr 17, 2024 02:23:54.923557043 CEST	53	56543	1.1.1.1	192.168.2.5
Apr 17, 2024 02:23:54.923614979 CEST	53	53495	1.1.1.1	192.168.2.5
Apr 17, 2024 02:24:09.507865906 CEST	53	51536	1.1.1.1	192.168.2.5
Apr 17, 2024 02:24:28.547337055 CEST	53	65042	1.1.1.1	192.168.2.5
Apr 17, 2024 02:24:50.290769100 CEST	53	60625	1.1.1.1	192.168.2.5
Apr 17, 2024 02:24:51.267940044 CEST	53	65418	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2024 02:23:51.625190020 CEST	192.168.2.5	1.1.1.1	0x15e	Standard query (0)	email.notifications.joinhandshake.com	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:23:51.625300884 CEST	192.168.2.5	1.1.1.1	0x1c34	Standard query (0)	email.notifications.joinhandshake.com	65	IN (0x0001)	false
Apr 17, 2024 02:23:54.817447901 CEST	192.168.2.5	1.1.1.1	0x582b	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:23:54.818205118 CEST	192.168.2.5	1.1.1.1	0x6293	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 17, 2024 02:23:51.731483936 CEST	1.1.1.1	192.168.2.5	0x15e	No error (0)	email.notifications.joinhandshake.com	mailgun.org		CNAME (Canonical name)	IN (0x0001)	false
Apr 17, 2024 02:23:51.731483936 CEST	1.1.1.1	192.168.2.5	0x15e	No error (0)	mailgun.org		34.102.239.211	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:23:51.748600960 CEST	1.1.1.1	192.168.2.5	0x1c34	No error (0)	email.notifications.joinhandshake.com	mailgun.org		CNAME (Canonical name)	IN (0x0001)	false
Apr 17, 2024 02:23:54.923557043 CEST	1.1.1.1	192.168.2.5	0x6293	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 17, 2024 02:23:54.923614979 CEST	1.1.1.1	192.168.2.5	0x582b	No error (0)	www.google.com		64.233.177.147	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:23:54.923614979 CEST	1.1.1.1	192.168.2.5	0x582b	No error (0)	www.google.com		64.233.177.104	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:23:54.923614979 CEST	1.1.1.1	192.168.2.5	0x582b	No error (0)	www.google.com		64.233.177.103	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:23:54.923614979 CEST	1.1.1.1	192.168.2.5	0x582b	No error (0)	www.google.com		64.233.177.106	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:23:54.923614979 CEST	1.1.1.1	192.168.2.5	0x582b	No error (0)	www.google.com		64.233.177.105	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:23:54.923614979 CEST	1.1.1.1	192.168.2.5	0x582b	No error (0)	www.google.com		64.233.177.99	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:24:07.234661102 CEST	1.1.1.1	192.168.2.5	0x77b2	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 17, 2024 02:24:07.234661102 CEST	1.1.1.1	192.168.2.5	0x77b2	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:24:07.519756079 CEST	1.1.1.1	192.168.2.5	0x989b	No error (0)	windowsupdatebg.s.llnwi.net		69.164.42.0	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:25:03.040735006 CEST	1.1.1.1	192.168.2.5	0x6fbd	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 17, 2024 02:25:03.040735006 CEST	1.1.1.1	192.168.2.5	0x6fbd	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

email.notifications.joinhandshake.com

https:

www.bing.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	34.102.239.211	443	5592	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-17 00:23:52 UTC	680	OUT	GET / HTTP/1.1 Host: email.notifications.joinhandshake.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-17 00:23:52 UTC	176	IN	HTTP/1.1 404 Not Found Content-Length: 19 Content-Type: text/plain; charset=utf-8 Date: Wed, 17 Apr 2024 00:23:52 GMT X-Content-Type-Options: nosniff Connection: close
2024-04-17 00:23:52 UTC	19	IN	Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	34.102.239.211	443	5592	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-17 00:23:52 UTC	630	OUT	GET /favicon.ico HTTP/1.1 Host: email.notifications.joinhandshake.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://email.notifications.joinhandshake.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-17 00:23:52 UTC	176	IN	HTTP/1.1 404 Not Found Content-Length: 19 Content-Type: text/plain; charset=utf-8 Date: Wed, 17 Apr 2024 00:23:52 GMT X-Content-Type-Options: nosniff Connection: close
2024-04-17 00:23:52 UTC	19	IN	Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	23.63.206.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-17 00:23:55 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-17 00:23:56 UTC	468	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/079C) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus2-z1 Cache-Control: public, max-age=110383 Date: Wed, 17 Apr 2024 00:23:55 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	23.63.206.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-17 00:23:56 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-17 00:23:56 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0rcGnYgAAAAANOnx9vccHTr21ROgX9ESTU0pDRURHRTAzMDkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=110392 Date: Wed, 17 Apr 2024 00:23:56 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-17 00:23:56 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.5	49721	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-17 00:24:07 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713313415986&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-04-17 00:24:07 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-04-17 00:24:07 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-04-17 00:24:08 UTC	479	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: FDDC7E8D1D9242BDA29A1C398C6DC894 Ref B: LAX311000110045 Ref C: 2024-04-17T00:24:08Z Date: Wed, 17 Apr 2024 00:24:08 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1713313448.2bd633f

Target ID:	0
Start time:	02:23:46
Start date:	17/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:23:49
Start date:	17/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2208,i,12677839712697542642,1752873811518202268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:23:50
Start date:	17/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://email.notifications.joinhandshake.com"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://email.notifications.joinhandshake.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 57

Chrome Cache Entry: 58

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 3876, Parent PID: 5376

General

Chronological Activities

Analysis Process: chrome.exePID: 5592, Parent PID: 3876

General

Chronological Activities

Analysis Process: chrome.exePID: 2972, Parent PID: 5376

Windows Analysis Report
https://email.notifications.joinhandshake.com