Edit tour

Windows Analysis Report
http://134.122.122.216

Overview

General Information

Sample URL:	http://134.122.122.216
Analysis ID:	1427674
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3228 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1812 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2292,i,5411637513741760213,8331042975642358200,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5824 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://134.122.122.216" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: http://134.122.122.216/

HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.122.216

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 134.122.122.216Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: 134.122.122.216Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://134.122.122.216/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713389228983&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundaccess-control-allow-origin: *cache-control: max-age=0, no-cache, must-revalidate, proxy-revalidateaccess-control-allow-credentials: trueaccess-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Range, Cache-Controlcontent-type: application/json; charset=utf-8content-length: 43date: Wed, 17 Apr 2024 21:27:25 GMTkeep-alive: timeout=5Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 22 7d Data Ascii: {"statusCode":404,"message":"Cannot GET /"}
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundaccess-control-allow-origin: *cache-control: max-age=0, no-cache, must-revalidate, proxy-revalidateaccess-control-allow-credentials: trueaccess-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Range, Cache-Controlcontent-type: application/json; charset=utf-8content-length: 54date: Wed, 17 Apr 2024 21:27:25 GMTkeep-alive: timeout=5Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 7d Data Ascii: {"statusCode":404,"message":"Cannot GET /favicon.ico"}

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@16/10@2/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2292,i,5411637513741760213,8331042975642358200,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://134.122.122.216"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2292,i,5411637513741760213,8331042975642358200,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.50.22	true	false	unknown
www.google.com	74.125.138.99	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://134.122.122.216/favicon.ico	false		unknown
http://134.122.122.216/	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
74.125.138.99	www.google.com	United States	15169	GOOGLEUS	false
134.122.122.216	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427674
Start date and time:	2024-04-17 23:26:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://134.122.122.216
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@16/10@2/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 74.125.138.94, 142.250.105.113, 142.250.105.100, 142.250.105.102, 142.250.105.138, 142.250.105.139, 142.250.105.101, 74.125.136.84, 34.104.35.123, 13.85.23.86, 96.7.245.17, 192.229.211.108, 72.21.81.240, 13.85.23.206, 23.40.205.26, 23.40.205.18, 23.40.205.81, 142.250.105.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: http://134.122.122.216

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 17 20:27:25 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9761444019950627
Encrypted:	false
SSDEEP:	48:8FdpTxpiHHidAKZdA19ehwiZUklqehGy+3:8BLady
MD5:	97B1A95923B73A93F5FCC01FDA6C1D36
SHA1:	768950FB83FF0CCF047644DC26B8F53AC6916227
SHA-256:	487FE2E14A3423FE374DB88157AC424E0B669EA114F432489FA5425577C7B73C
SHA-512:	CC32A198FEE376953AE299E3C34061342239FEF5CB0D4E8183E4EB968C518E69F2A443D5CA453CF5BF699C6C28664747A6A73DD8391F32940D6CAD2648058100
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....Og\.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xj.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xj.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xj.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xj............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xm............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........!j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 17 20:27:24 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.992328281107044
Encrypted:	false
SSDEEP:	48:8FdpTxpiHHidAKZdA1weh/iZUkAQkqehNy+2:8BLw9QQy
MD5:	EE7E2EA922BB9489533A049E3B339A63
SHA1:	9EAC24222409831D99B9EE0986446CAF7F872491
SHA-256:	3702DD22028A2BF395C74C3E5E5F54D20A441501A3B734C23E9FD0FEF30C393F
SHA-512:	005DC9D19FC9E86E4FA1E45969C34553523C12C0F827F93262997ABD97E40221FEF0576D3108F5B222D5F3E81F11BCC3DA8D6E6F32196AC3B672F61026B4AA6F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....ptN.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xj.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xj.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xj.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xj............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xm............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........!j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.007583533468963
Encrypted:	false
SSDEEP:	48:8xidpTxpsHHidAKZdA14tseh7sFiZUkmgqeh7sHy+BX:8xQLenxy
MD5:	2EF95AE057CB8E49408D13742CA82324
SHA1:	02EBC28F3BE87C2E38A5D0261AF99863679F30C8
SHA-256:	031CAFAE77C5C9B246C8E4B837B5CA6B296136AA9B4C91575A4C1647C92A7628
SHA-512:	92C44A269C4F69B9948115006BBCAA8772A736DA176AC3646FE56DD719B1F9668881E454065CCE95594CDFF92B66496304227A460CFF9B1D365C707020E769DF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xj.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xj.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xj.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xj............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........!j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 17 20:27:24 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.995291046294625
Encrypted:	false
SSDEEP:	48:8GdpTxpiHHidAKZdA1vehDiZUkwqehJy+R:8ELbfy
MD5:	218D08DD6858E526C44B9EA595738005
SHA1:	F4E73CA78B11D5D9EED06768AD6992AC2FC80E81
SHA-256:	D8935252E0DD27724AA3AC251A3AC694F0CC3442ADC91A096B1F562052992D06
SHA-512:	2D021DEF831D8B6650A16B1A40F6A4C70B4A7646EB3BD897CD866539AEC0BBA34A0601F633DB1E69B7B0C7A7CACBFD576DBDBEB16104828BEE325336C0AD07E7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......E.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xj.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xj.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xj.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xj............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xm............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........!j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 17 20:27:24 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9827445752603907
Encrypted:	false
SSDEEP:	48:8MdpTxpiHHidAKZdA1hehBiZUk1W1qehLy+C:8SL79ry
MD5:	4445DDA1EE9A0C85441D1AA12AFECD51
SHA1:	5A7658D4A43CBFED97A5DEA2C1AF01F97BD010E5
SHA-256:	690DA1BB7BA81752044FF1E7186206B4A48250065112187144CDEEF669CCBFE3
SHA-512:	A2FDF61091A52D0D9C9A8F540B7CC87ED01F8EAF5365942551FACCB92DA9D97955C2045FEE3601F48C0F2812BBABED09B9A112AACE2C32EBE8247A39AAE7C413
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....4@U.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xj.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xj.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xj.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xj............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xm............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........!j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 17 20:27:24 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.996560169424952
Encrypted:	false
SSDEEP:	48:8XdpTxpiHHidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbxy+yT+:8rLbT/TbxWOvTbxy7T
MD5:	0D2287005A930E5DE8853DE3C94B45D0
SHA1:	AE5E3A91F0978B2F0B17C801C480A5D43B1E5448
SHA-256:	2E1D3DCEC0AD4ED5BC1DE7A782850ECE4AC6A2F8610DBBBA2E2F094F3618D06E
SHA-512:	8771BB7A640F6802A143C2AC08D2285B3DC00543A917D389DC90407BEDEC2F6CA72D0F2AB33CF4E2A779B9BB3EAD3F03663E3D977AF02F2BB28C5CE9F5A53EF4
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....Y.<.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xj.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xj.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xj.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xj............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xm............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........!j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 57

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	downloaded
Size (bytes):	54
Entropy (8bit):	4.536842363074259
Encrypted:	false
SSDEEP:	3:YWR4h2zd6GE/Ke8KDETqLLMi:YWyQK/WiLMi
MD5:	F724EB23297A894BF726D26649E8E26C
SHA1:	8E22F926F08C02D69E2704923124FFF8E4B30025
SHA-256:	F639D54D7FE79AAF505BDDC5DABF737662C61D3993BF03E6D6B3B5F5453EAB69
SHA-512:	DA8FEC16AEC8321C7A0F22E7E1E97FBFBEFF88CF328EF2E8329B2B142DD3AB772A660630DE7855476E043267B6CFE2C0443DB0D3DFAF4A8A8D99689DDCACADA1
Malicious:	false
Reputation:	low
URL:	http://134.122.122.216/favicon.ico
Preview:	{"statusCode":404,"message":"Cannot GET /favicon.ico"}

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	4.268719696310996
Encrypted:	false
SSDEEP:	3:YWR4h2zd6GE/Ke8K4:YWyQK/Wp
MD5:	00BA9076E508F641510D4EE2EA53CDEF
SHA1:	45BE3EB6FEE73B32DFA9747C24C83BF613D9D6C4
SHA-256:	14DAFCBC80A313470C03A4239E13F1454BA483C4D049484C415E3E00CB5D4DFD
SHA-512:	630245CEF9837E83EF003995591F8E2C0D0D0E191D49E8EBD960D44E600C58F409AABECE7352F4496FC46BCD79A765BE877104AAB487B9517A22E6D6FFC85814
Malicious:	false
Reputation:	low
URL:	http://134.122.122.216/
Preview:	{"statusCode":404,"message":"Cannot GET /"}

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 23:27:18.922522068 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:18.938137054 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:19.047620058 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:24.923029900 CEST	49711	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:24.923207045 CEST	49710	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:25.043987989 CEST	80	49711	134.122.122.216	192.168.2.5
Apr 17, 2024 23:27:25.045202971 CEST	49711	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:25.045367956 CEST	49711	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:25.048161030 CEST	80	49710	134.122.122.216	192.168.2.5
Apr 17, 2024 23:27:25.048360109 CEST	49710	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:25.167692900 CEST	80	49711	134.122.122.216	192.168.2.5
Apr 17, 2024 23:27:25.212595940 CEST	49711	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:25.220172882 CEST	49711	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:25.342922926 CEST	80	49711	134.122.122.216	192.168.2.5
Apr 17, 2024 23:27:25.388931036 CEST	49711	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:27.639024973 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:27.639066935 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:27.639147043 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:27.640950918 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:27.640974045 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:27.870070934 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:27.870898962 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:27.870929003 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:27.872606993 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:27.872781992 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:27.916754007 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:27.917280912 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:27.964767933 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:27.964797020 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:28.011676073 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:28.456778049 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.456859112 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.456942081 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.459996939 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.460086107 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.527187109 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:28.542812109 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:28.652184010 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:28.688059092 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.688153982 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.690484047 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.690510035 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.690833092 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.732144117 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.780114889 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.882769108 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.882932901 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.883019924 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.883080006 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.883115053 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.883141041 CEST	49715	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.883156061 CEST	443	49715	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.929122925 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.929158926 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:28.929229021 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.929672003 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:28.929685116 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:29.148669004 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:29.148737907 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:29.167450905 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:29.167464018 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:29.168380022 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:29.180375099 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:29.228115082 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:29.352689028 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:29.352890968 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:29.353055954 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:29.356714010 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:29.356733084 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:29.356775999 CEST	49716	443	192.168.2.5	23.63.206.91
Apr 17, 2024 23:27:29.356782913 CEST	443	49716	23.63.206.91	192.168.2.5
Apr 17, 2024 23:27:30.039191961 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:30.039449930 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:37.861692905 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:37.861763000 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:37.861990929 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:39.670792103 CEST	49714	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:27:39.670851946 CEST	443	49714	74.125.138.99	192.168.2.5
Apr 17, 2024 23:27:40.252938032 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.253073931 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.253895998 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.253926039 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:40.254008055 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.254343987 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.254360914 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:40.406443119 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:40.406460047 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:40.581166029 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:40.581274033 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.651185989 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.651204109 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:40.652435064 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:40.653917074 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.730911970 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.730983019 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:40.731276035 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:40.731286049 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:41.151490927 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:41.151618004 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:41.151633978 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:41.151712894 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:41.151717901 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:41.151875973 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:41.151978970 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:41.151978970 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:41.151995897 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 17, 2024 23:27:41.152054071 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 17, 2024 23:27:55.172480106 CEST	80	49710	134.122.122.216	192.168.2.5
Apr 17, 2024 23:27:55.172544003 CEST	80	49710	134.122.122.216	192.168.2.5
Apr 17, 2024 23:27:55.172792912 CEST	49710	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:55.343384981 CEST	80	49711	134.122.122.216	192.168.2.5
Apr 17, 2024 23:27:55.344041109 CEST	49711	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:55.613114119 CEST	49711	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:27:55.734374046 CEST	80	49711	134.122.122.216	192.168.2.5
Apr 17, 2024 23:28:25.623992920 CEST	49710	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:28:25.624027014 CEST	49710	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:28:25.749393940 CEST	80	49710	134.122.122.216	192.168.2.5
Apr 17, 2024 23:28:25.749684095 CEST	49710	80	192.168.2.5	134.122.122.216
Apr 17, 2024 23:28:27.254633904 CEST	49726	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:28:27.254775047 CEST	443	49726	74.125.138.99	192.168.2.5
Apr 17, 2024 23:28:27.254867077 CEST	49726	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:28:27.255490065 CEST	49726	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:28:27.255522013 CEST	443	49726	74.125.138.99	192.168.2.5
Apr 17, 2024 23:28:27.469639063 CEST	443	49726	74.125.138.99	192.168.2.5
Apr 17, 2024 23:28:27.470187902 CEST	49726	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:28:27.470225096 CEST	443	49726	74.125.138.99	192.168.2.5
Apr 17, 2024 23:28:27.470689058 CEST	443	49726	74.125.138.99	192.168.2.5
Apr 17, 2024 23:28:27.471101046 CEST	49726	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:28:27.471340895 CEST	443	49726	74.125.138.99	192.168.2.5
Apr 17, 2024 23:28:27.511096954 CEST	49726	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:28:37.472399950 CEST	443	49726	74.125.138.99	192.168.2.5
Apr 17, 2024 23:28:37.472556114 CEST	443	49726	74.125.138.99	192.168.2.5
Apr 17, 2024 23:28:37.472605944 CEST	49726	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:28:37.617588043 CEST	49726	443	192.168.2.5	74.125.138.99
Apr 17, 2024 23:28:37.617661953 CEST	443	49726	74.125.138.99	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 23:27:23.510099888 CEST	53	62824	1.1.1.1	192.168.2.5
Apr 17, 2024 23:27:23.510812044 CEST	53	49734	1.1.1.1	192.168.2.5
Apr 17, 2024 23:27:24.116300106 CEST	53	59135	1.1.1.1	192.168.2.5
Apr 17, 2024 23:27:27.224422932 CEST	53076	53	192.168.2.5	1.1.1.1
Apr 17, 2024 23:27:27.224674940 CEST	60733	53	192.168.2.5	1.1.1.1
Apr 17, 2024 23:27:27.329057932 CEST	53	53076	1.1.1.1	192.168.2.5
Apr 17, 2024 23:27:27.329735041 CEST	53	60733	1.1.1.1	192.168.2.5
Apr 17, 2024 23:27:41.587210894 CEST	53	59857	1.1.1.1	192.168.2.5
Apr 17, 2024 23:28:00.375108957 CEST	53	58952	1.1.1.1	192.168.2.5
Apr 17, 2024 23:28:22.667282104 CEST	53	51844	1.1.1.1	192.168.2.5
Apr 17, 2024 23:28:23.072062969 CEST	53	64344	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2024 23:27:27.224422932 CEST	192.168.2.5	1.1.1.1	0x1280	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:27.224674940 CEST	192.168.2.5	1.1.1.1	0xe50f	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 17, 2024 23:27:27.329057932 CEST	1.1.1.1	192.168.2.5	0x1280	No error (0)	www.google.com		74.125.138.99	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:27.329057932 CEST	1.1.1.1	192.168.2.5	0x1280	No error (0)	www.google.com		74.125.138.147	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:27.329057932 CEST	1.1.1.1	192.168.2.5	0x1280	No error (0)	www.google.com		74.125.138.105	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:27.329057932 CEST	1.1.1.1	192.168.2.5	0x1280	No error (0)	www.google.com		74.125.138.103	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:27.329057932 CEST	1.1.1.1	192.168.2.5	0x1280	No error (0)	www.google.com		74.125.138.104	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:27.329057932 CEST	1.1.1.1	192.168.2.5	0x1280	No error (0)	www.google.com		74.125.138.106	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:27.329735041 CEST	1.1.1.1	192.168.2.5	0xe50f	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 17, 2024 23:27:40.010678053 CEST	1.1.1.1	192.168.2.5	0x329e	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 17, 2024 23:27:40.010678053 CEST	1.1.1.1	192.168.2.5	0x329e	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:53.466473103 CEST	1.1.1.1	192.168.2.5	0x9a91	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:27:53.466473103 CEST	1.1.1.1	192.168.2.5	0x9a91	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:28:35.415050030 CEST	1.1.1.1	192.168.2.5	0x7c92	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.50.22	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:28:35.415050030 CEST	1.1.1.1	192.168.2.5	0x7c92	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.50.34	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:28:35.415050030 CEST	1.1.1.1	192.168.2.5	0x7c92	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.36	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:28:35.415050030 CEST	1.1.1.1	192.168.2.5	0x7c92	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.63.35	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:28:35.415050030 CEST	1.1.1.1	192.168.2.5	0x7c92	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.53.35	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:28:35.415050030 CEST	1.1.1.1	192.168.2.5	0x7c92	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.34	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:28:35.415050030 CEST	1.1.1.1	192.168.2.5	0x7c92	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.50.35	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:28:35.415050030 CEST	1.1.1.1	192.168.2.5	0x7c92	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.51.23	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

https:

www.bing.com

134.122.122.216

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	134.122.122.216	80	1812	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 23:27:25.045367956 CEST	430	OUT	GET / HTTP/1.1 Host: 134.122.122.216 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Apr 17, 2024 23:27:25.167692900 CEST	462	IN	HTTP/1.1 404 Not Found access-control-allow-origin: * cache-control: max-age=0, no-cache, must-revalidate, proxy-revalidate access-control-allow-credentials: true access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Range, Cache-Control content-type: application/json; charset=utf-8 content-length: 43 date: Wed, 17 Apr 2024 21:27:25 GMT keep-alive: timeout=5 Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 22 7d Data Ascii: {"statusCode":404,"message":"Cannot GET /"}
Apr 17, 2024 23:27:25.220172882 CEST	374	OUT	GET /favicon.ico HTTP/1.1 Host: 134.122.122.216 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://134.122.122.216/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Apr 17, 2024 23:27:25.342922926 CEST	473	IN	HTTP/1.1 404 Not Found access-control-allow-origin: * cache-control: max-age=0, no-cache, must-revalidate, proxy-revalidate access-control-allow-credentials: true access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Range, Cache-Control content-type: application/json; charset=utf-8 content-length: 54 date: Wed, 17 Apr 2024 21:27:25 GMT keep-alive: timeout=5 Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 7d Data Ascii: {"statusCode":404,"message":"Cannot GET /favicon.ico"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	134.122.122.216	80	1812	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 23:27:55.172480106 CEST	233	IN	HTTP/1.1 408 Request Time-out Content-length: 110 Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	23.63.206.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-17 21:27:28 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-17 21:27:28 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/079C) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus2-z1 Cache-Control: public, max-age=34570 Date: Wed, 17 Apr 2024 21:27:28 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49716	23.63.206.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-17 21:27:29 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-17 21:27:29 UTC	530	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0rcGnYgAAAAANOnx9vccHTr21ROgX9ESTU0pDRURHRTAzMDkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=34579 Date: Wed, 17 Apr 2024 21:27:29 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-17 21:27:29 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.5	49720	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-17 21:27:40 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713389228983&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-04-17 21:27:40 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-04-17 21:27:40 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-04-17 21:27:41 UTC	479	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 8657B5B51E124A768749FBB76843FC3D Ref B: LAX311000110007 Ref C: 2024-04-17T21:27:40Z Date: Wed, 17 Apr 2024 21:27:41 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1713389260.75fc24f

Target ID:	0
Start time:	23:27:18
Start date:	17/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:27:21
Start date:	17/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2292,i,5411637513741760213,8331042975642358200,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	23:27:24
Start date:	17/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://134.122.122.216"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://134.122.122.216

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 57

Chrome Cache Entry: 58

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 3228, Parent PID: 1012

General

Chronological Activities

Analysis Process: chrome.exePID: 1812, Parent PID: 3228

General

Chronological Activities

Windows Analysis Report
http://134.122.122.216