Edit tour

Windows Analysis Report
product1122.html

Overview

General Information

Sample name:	product1122.html
Analysis ID:	1427942
MD5:	61728329516b48e684e53bf8c05c213d
SHA1:	5b1b9ef4cb22cae4e6ed7b8078049230e656796c
SHA256:	15dc91b3d82d1cdfc355e3e43d6cb4bb163d9cb4aa7cbfb0eb6eb081d56fdc63
Tags:	html
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Detected javascript redirector / loader

Suspicious Javascript code found in HTML file

Drops PE files

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6932 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\product1122.html" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2200,i,12531877602374010323,3505977888523723621,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 2924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5072 --field-trial-handle=2200,i,12531877602374010323,3505977888523723621,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp	Avira: detection malicious, Label: HEUR/AGEN.1308740
Source: C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp	Avira: detection malicious, Label: HEUR/AGEN.1308740

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Downloads\Unconfirmed 163765.crdownload (copy)	ReversingLabs: Detection: 34%
Source: C:\Users\user\Downloads\Unconfirmed 163765.crdownload (copy)	Virustotal: Detection: 40%	Perma Link
Source: C:\Users\user\Downloads\Unconfirmed 462822.crdownload (copy)	ReversingLabs: Detection: 34%
Source: C:\Users\user\Downloads\Unconfirmed 462822.crdownload (copy)	Virustotal: Detection: 40%	Perma Link
Source: C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp	ReversingLabs: Detection: 34%
Source: C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp	Virustotal: Detection: 40%	Perma Link
Source: C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp	ReversingLabs: Detection: 34%
Source: C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp	Virustotal: Detection: 40%	Perma Link

Multi AV Scanner detection for submitted file

Source: product1122.html	ReversingLabs: Detection: 18%
Source: product1122.html	Virustotal: Detection: 14%			Perma Link

Phishing

Detected javascript redirector / loader

Source: product1122.html

HTTP Parser: Low number of body elements: 0

Suspicious Javascript code found in HTML file

Source: product1122.html

HTTP Parser: new blob(

Source: product1122.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/product1122.html	HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49735 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.216.73.151:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.216.73.151:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.29.9:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49750 version: TLS 1.2

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49735 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.216.73.151
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 52.159.127.243
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=8ZygSYb+E9LZ41W&MD=MbLbDFfe HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: 120X-DeviceID: 01000A410900C4F3X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAATwdX/XGkOieJ3azlI5pjHSWR29bpBxciZCgYKIaVI6SOAus4HXTolF%2BUwDpdd/QKtfDCPU15YDGM2POeP2tCNtfBMGqTxWDBKxzQ9mCOEpHF37s0zz0wxFWwutY%2BU3A989FiwPfmoWnXchUzX4HazcgPWknHYXH6CUoTOMZ86yJ9pQcd07yqZVVwT%2Bpc3olUhDEmTMB%2BHWWuYT7hTOBkpt4EsWGmBIPSFHU07omOf%2BAAXM0ejIjGFS9B3gWRMbqaVk7BpUwEbSmaPcEBonIZ6extyZBqS5zPsm8HyiJ/nKfF%2BjBagkQDz3VIGz0Fu78F6CcENujCJuietvZiWrw808DZgAACHfBmPj%2B2SE2qAFAQPOHqSwXSo4D2tU1iFuMTj/J5w5wGGsnFNnYeUQD7YopsLZejSF7phmGb3xs3K6oqxMO8xPaCVKcgzLlMCmeYkScxwu7Mf6IKPOgIuBIhwyGjw5%2B9l9OXYRKJaR4P410JAYYr8ASNpeGhpbnGWGi4clP%2B4Wp8zuvUWvMY0ovxFHqeJ1x%2Bcm2Y3H5kxeYqEnxpSRoioZD5WudE2SWRbpFTUgtj%2Btisf2UDUNFeQcqYH5N/TmIDlcN%2BMm9cH2HyWYj9TNSvbOd7upIlNsZAfx8pvB4R3TauTSH/W5jhVus%2BUMUGjEjnfSkn5QlpkZOS17K614dpIYxvMMah3zzikDmbrljKwyCoFZ5d6J8UrHJAXz/UIzn/aZsH8ZCfM0PLR4bVZr8l%2BJQ9WztMdvAgd%2BYvmWae0BRojEf1KVm8XxutA0CSTrvKkXllkWPwbWDWiwu0iKIU0B4Dq9Kt2zg5N/Wn%2BqvJ3ci5WKpuICMzCKiZpzF09FBZzb/iMDLB0m/miE9jWSB6KPEDxDSVV8emhXssvgiuS83Xu1CkJIvvyR6ZTuAbgW7EOwY2AE%3D%26p%3DX-Agent-DeviceId: 01000A410900C4F3X-BM-CBT: 1713431843User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 4707AE76704648C1BD97EEC7199EEC7FX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=CE2BE0509FF742BD822F50D98AD10391&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&HV=1696488191&IPMH=5767d621&IPMID=1696488252989&LUT=1696487541024; CortanaAppUID=2020E25DAB158E420BA06F1C8DEF7959; MUID=81C61E09498D41CC97CDBBA354824ED1; MUIDB=81C61E09498D41CC97CDBBA354824ED1
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=8ZygSYb+E9LZ41W&MD=MbLbDFfe HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4788Host: login.live.com

Source: c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr, d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	String found in binary or memory: http://weather.yahooapis.com/forecastrss?w=4118
Source: c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr, d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	String found in binary or memory: http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648
Source: c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr, d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	String found in binary or memory: http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009
Source: c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr, d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	String found in binary or memory: http://xml.weather.yahoo.com/ns/rss/1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.216.73.151:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.216.73.151:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.29.9:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49750 version: TLS 1.2

Source: c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.phis.winHTML@34/4@2/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp

Jump to behavior

Source: product1122.html	ReversingLabs: Detection: 18%
Source: product1122.html	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\product1122.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2200,i,12531877602374010323,3505977888523723621,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5072 --field-trial-handle=2200,i,12531877602374010323,3505977888523723621,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2200,i,12531877602374010323,3505977888523723621,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5072 --field-trial-handle=2200,i,12531877602374010323,3505977888523723621,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr	Static PE information: section name: .text entropy: 7.934603388933473
Source: d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	Static PE information: section name: .text entropy: 7.934603388933473

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 163765.crdownload (copy)	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 462822.crdownload (copy)	Jump to dropped file

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Software Packing	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
product1122.html	18%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
product1122.html	14%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp	100%	Avira	HEUR/AGEN.1308740
C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp	100%	Avira	HEUR/AGEN.1308740
C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp	100%	Joe Sandbox ML
C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp	100%	Joe Sandbox ML
C:\Users\user\Downloads\Unconfirmed 163765.crdownload (copy)	34%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
C:\Users\user\Downloads\Unconfirmed 163765.crdownload (copy)	40%	Virustotal		Browse
C:\Users\user\Downloads\Unconfirmed 462822.crdownload (copy)	34%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
C:\Users\user\Downloads\Unconfirmed 462822.crdownload (copy)	40%	Virustotal		Browse
C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp	34%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp	40%	Virustotal		Browse
C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp	34%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp	40%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	64.233.176.99	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/product1122.html	false		low

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648	c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr, d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	false	high
http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009	c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr, d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	false	high
http://xml.weather.yahoo.com/ns/rss/1.0	c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr, d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	false	high
http://weather.yahooapis.com/forecastrss?w=4118	c46b6438-bd12-465d-b351-51dc91ef4986.tmp.0.dr, d384f462-4692-49be-a501-11ea5575a036.tmp.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
64.233.176.99	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427942
Start date and time:	2024-04-18 11:16:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	product1122.html
Detection:	MAL
Classification:	mal72.phis.winHTML@34/4@2/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.105.94, 64.233.176.101, 64.233.176.138, 64.233.176.102, 64.233.176.100, 64.233.176.139, 64.233.176.113, 142.250.105.84, 34.104.35.123, 142.250.9.95, 64.233.176.95, 108.177.122.95, 142.250.105.95, 64.233.185.95, 173.194.219.95, 64.233.177.95, 142.251.15.95, 74.125.136.95, 172.253.124.95, 74.125.138.95, 172.217.215.95, 192.229.211.108, 23.40.205.26, 199.232.214.172, 142.250.9.101, 142.250.9.113, 142.250.9.138, 142.250.9.139, 142.250.9.102, 142.250.9.100
Excluded domains from analysis (whitelisted): www.bing.com, clients1.google.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://www.hegemann-reiners.de/	Get hash	malicious	Unknown	Browse
	http://gamma.app/docs/Adobe-1098-uanmwmhgl6i90tc?mode=doc	Get hash	malicious	Unknown	Browse
	http://185.91.69.110	Get hash	malicious	Unknown	Browse
	https://ortelia.com/Downloads/Curator/CuratorSetup.exe	Get hash	malicious	Havoc	Browse
	https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1	Get hash	malicious	Unknown	Browse
	https://ortelia.com/download-ortelia-curator/	Get hash	malicious	Havoc	Browse
	https://site24x7.com	Get hash	malicious	Unknown	Browse
	http://bind.bestresulttostart.com	Get hash	malicious	Unknown	Browse
	https://ortelia.com/download-ortelia-curator/	Get hash	malicious	Havoc	Browse
	http://ranchpools.com	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://185.91.69.110	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://45.128.232.135	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://windowdefalerts-error0x21903-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	173.222.162.64
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://i18usgwgwrtjcshghwg.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=%201-844-324-0016	Get hash	malicious	TechSupportScam	Browse	173.222.162.64
	https://wumanchi.s3.eu-north-1.amazonaws.com/control_dbanty.html?page=_popup&pcnt=3	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://smincorporation.com/kr.html#sangdon.yeom@hyundaimovex.com	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://www.orioncarbons.com/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://gem.godaddy.com/signups/activate/MS0tY1AvemVtNUJYZW1aRkZhVXV5em1LMGovQVFvanpXTEJkVTNMTmpjSEVzUGpjYU1MSEJvUk9zQ1hjNjUvSG0wYURPNmF0a0N4TWVpWTFLdFJacGZvLS1RLzlVbk90eVpkZEYzNE42LS1pcmlqMm9EaTRpY0xmR2h4RzF3QVVBPT0?signup=11093294	Get hash	malicious	Unknown	Browse	173.222.162.64
	ZG17uv37pi.exe	Get hash	malicious	Unknown	Browse	173.222.162.64
28a2c9bd18a11de089ef85a160da29e4	http://gamma.app/docs/Adobe-1098-uanmwmhgl6i90tc?mode=doc	Get hash	malicious	Unknown	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1	Get hash	malicious	Unknown	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	https://site24x7.com	Get hash	malicious	Unknown	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	http://bind.bestresulttostart.com	Get hash	malicious	Unknown	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	http://ranchpools.com	Get hash	malicious	Unknown	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	http://t.cm.morganstanley.com/r/?id=h1b92d14%2C134cc33c%2C1356be32&p1=www.saiengroup.com%2Fteaz%2F648c482b60b3906833c9304bab170add%2FJBVNhz%2FYW15LmNoZW5AZG91YmxlbGluZS5jb20=	Get hash	malicious	HTMLPhisher	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	https://windowdefalerts-error0x21906-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	https://windowdefalerts-error0x21903-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	https://windowdefalerts-error0x21905-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	40.126.29.9 40.127.169.103 23.216.73.151
	https://windowdefalerts-error0x21908-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	40.126.29.9 40.127.169.103 23.216.73.151
6271f898ce5be7dd52b0fc260d0662b3	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FQuantexa/IpoXF42991IpoXF42991IpoXF/bWFzc2ltb2JvcnJlbGxpQHF1YW50ZXhhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	204.79.197.200
	https://www.canva.com/design/DAGClbxS4CM/0aRj8j8Ev9jwS9CNHsAlbw/view?utm_content=DAGClbxS4CM&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	204.79.197.200
	https://www.tvlicensing.co.uk/cs/renew-your-tv-licence/index.app?utm_source=email&utm_medium=email&utm_campaign=cfl_renewals_2wprior&utm_id=REE101&utm_content=renew_button_one&string=HEgS7RMg8c6T_6AL4wHzifwYNH5vmHTRvf-FKwI9UrU	Get hash	malicious	Unknown	Browse	204.79.197.200
	PDFixers.zip	Get hash	malicious	Unknown	Browse	204.79.197.200
	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FBeantech/dPFlf78424dPFlf78424dPFlf/ZmFiaWFuby5iZW5lZGV0dGlAYmVhbnRlY2guaXQ=	Get hash	malicious	Unknown	Browse	204.79.197.200
	Dot_ Microsoft Password Expired Wednesday, January 24, 2024.eml	Get hash	malicious	Unknown	Browse	204.79.197.200
	Dot Password Expired Wednesday January 24 2024 !!.msg	Get hash	malicious	Unknown	Browse	204.79.197.200
	Open Benefits Enrollment.eml	Get hash	malicious	Unknown	Browse	204.79.197.200
	OriginatingEmail (55).eml	Get hash	malicious	HTMLPhisher	Browse	204.79.197.200
	https://ct.turing.bz	Get hash	malicious	Unknown	Browse	204.79.197.200
3b5074b1b5d032e5620f69f9f700ff0e	DHL-9384915702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	52.159.127.243 20.25.241.18
	FACTURA24021151 - BP.vbs	Get hash	malicious	Unknown	Browse	52.159.127.243 20.25.241.18
	Outstanding Payment Invoice PO 3400375980.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	52.159.127.243 20.25.241.18
	Arrival Notice PUS_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	52.159.127.243 20.25.241.18
	Transferencias SEPA.vbs	Get hash	malicious	Unknown	Browse	52.159.127.243 20.25.241.18
	shipping doc.vbs	Get hash	malicious	GuLoader	Browse	52.159.127.243 20.25.241.18
	FACTURA 130424435.vbs	Get hash	malicious	Unknown	Browse	52.159.127.243 20.25.241.18
	justificant de transfer#U00e8ncia.vbs	Get hash	malicious	Unknown	Browse	52.159.127.243 20.25.241.18
	Justificante de pago.vbs	Get hash	malicious	Unknown	Browse	52.159.127.243 20.25.241.18
	Purchase Order PDF.exe	Get hash	malicious	AgentTesla	Browse	52.159.127.243 20.25.241.18

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Downloads\Unconfirmed 163765.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.889102009770903
Encrypted:	false
SSDEEP:	12288:hCK/pbMrRwwAFua+bT/gUDSXN057FQdMvMOKI4uko5QLaBKJAWnGtMm8WxTlEA3J:hCiMrgeX5S+5xeMp4xoQaWAWGtMm8WxP
MD5:	3B35EB02919CC28D6FAEA03C96519504
SHA1:	66588CD5D127E83379DE633E178B288FE3FAD794
SHA-256:	8F44B390BA295E14B6A18221D7D74ACBC1AD2B4440DB3380364E9B7964F43670
SHA-512:	91A2B15B24C30F09C1860FFB31073E4027BB2F970AE7A4A3674A3E99A49194928D6774FC5D963661DBB33A012E95DD51A88A9BE64D6B6F07380339388015B6A0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 40%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y{ f..............0......0........... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\Unconfirmed 462822.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.889102009770903
Encrypted:	false
SSDEEP:	12288:hCK/pbMrRwwAFua+bT/gUDSXN057FQdMvMOKI4uko5QLaBKJAWnGtMm8WxTlEA3J:hCiMrgeX5S+5xeMp4xoQaWAWGtMm8WxP
MD5:	3B35EB02919CC28D6FAEA03C96519504
SHA1:	66588CD5D127E83379DE633E178B288FE3FAD794
SHA-256:	8F44B390BA295E14B6A18221D7D74ACBC1AD2B4440DB3380364E9B7964F43670
SHA-512:	91A2B15B24C30F09C1860FFB31073E4027BB2F970AE7A4A3674A3E99A49194928D6774FC5D963661DBB33A012E95DD51A88A9BE64D6B6F07380339388015B6A0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 40%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y{ f..............0......0........... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.889102009770903
Encrypted:	false
SSDEEP:	12288:hCK/pbMrRwwAFua+bT/gUDSXN057FQdMvMOKI4uko5QLaBKJAWnGtMm8WxTlEA3J:hCiMrgeX5S+5xeMp4xoQaWAWGtMm8WxP
MD5:	3B35EB02919CC28D6FAEA03C96519504
SHA1:	66588CD5D127E83379DE633E178B288FE3FAD794
SHA-256:	8F44B390BA295E14B6A18221D7D74ACBC1AD2B4440DB3380364E9B7964F43670
SHA-512:	91A2B15B24C30F09C1860FFB31073E4027BB2F970AE7A4A3674A3E99A49194928D6774FC5D963661DBB33A012E95DD51A88A9BE64D6B6F07380339388015B6A0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 40%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y{ f..............0......0........... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.889102009770903
Encrypted:	false
SSDEEP:	12288:hCK/pbMrRwwAFua+bT/gUDSXN057FQdMvMOKI4uko5QLaBKJAWnGtMm8WxTlEA3J:hCiMrgeX5S+5xeMp4xoQaWAWGtMm8WxP
MD5:	3B35EB02919CC28D6FAEA03C96519504
SHA1:	66588CD5D127E83379DE633E178B288FE3FAD794
SHA-256:	8F44B390BA295E14B6A18221D7D74ACBC1AD2B4440DB3380364E9B7964F43670
SHA-512:	91A2B15B24C30F09C1860FFB31073E4027BB2F970AE7A4A3674A3E99A49194928D6774FC5D963661DBB33A012E95DD51A88A9BE64D6B6F07380339388015B6A0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 40%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y{ f..............0......0........... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65311), with CRLF line terminators
Entropy (8bit):	5.95707030525115
TrID:	HyperText Markup Language (15015/1) 30.02% HyperText Markup Language (12001/1) 23.99% HyperText Markup Language (12001/1) 23.99% HyperText Markup Language (11001/1) 21.99%
File name:	product1122.html
File size:	1'034'319 bytes
MD5:	61728329516b48e684e53bf8c05c213d
SHA1:	5b1b9ef4cb22cae4e6ed7b8078049230e656796c
SHA256:	15dc91b3d82d1cdfc355e3e43d6cb4bb163d9cb4aa7cbfb0eb6eb081d56fdc63
SHA512:	f12a17846810bb0ed36d46a181c14a2170c84f880eabcc734130ed735211ec0f6080126c252d7fe1e9c92ec9312a71ae23d29c545d53d2aa4ec669e6b24c51bb
SSDEEP:	24576:+v5KfSjcJKuGkfXQx/dl9p2VPqieAQ7jomNQr1CoD:FfcyXQH2PlyEMQr1P
TLSH:	6025223A2BA3BDC12B3F1B0571961E1E1C747E7F43A9529DA6D00C822464A64DF57CE8
File Content Preview:	<!DOCTYPE html>..<html>..<head>..<meta charset="utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />..</head>..<body>.. [start] The relevant script will be copied between the "body" tags! -->....<script> var xywrf27y=xywrf27y

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:16:57.805932999 CEST	49674	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:16:57.821569920 CEST	49673	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:16:58.134097099 CEST	49672	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:07.413800001 CEST	49674	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:07.429296970 CEST	49673	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:07.663182020 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:07.663244963 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:07.663324118 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:07.663614988 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:07.663635969 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:07.734664917 CEST	49672	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:07.891273975 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:07.891509056 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:07.891545057 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:07.892790079 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:07.892868042 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:07.894184113 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:07.894259930 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:07.909164906 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:07.909219980 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:07.909311056 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:07.910267115 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:07.910300016 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:07.946024895 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:07.946059942 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:07.992887974 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:08.292943954 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:08.293026924 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:08.300165892 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:08.300177097 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:08.300499916 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:08.303241014 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:08.303798914 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:08.303803921 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:08.304027081 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:08.348109007 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:08.349445105 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.349489927 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.349590063 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.360129118 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.360142946 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.425631046 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:08.425884962 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:08.426023006 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:08.431099892 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:08.431154013 CEST	443	49720	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:08.431186914 CEST	49720	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:08.576301098 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.576406002 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.580266953 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.580279112 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.580517054 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.623284101 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.650825024 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.696135998 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.778047085 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.778220892 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.778500080 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.778598070 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.778640985 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.778640985 CEST	49721	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.778664112 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.778687954 CEST	443	49721	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.848417044 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.848445892 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:08.848562956 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.849319935 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:08.849332094 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:09.065438032 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:09.065543890 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:09.067918062 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:09.067934036 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:09.068191051 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:09.089907885 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:09.108134031 CEST	443	49706	173.222.162.64	192.168.2.6
Apr 18, 2024 11:17:09.108242989 CEST	49706	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:09.132134914 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:09.277250051 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:09.277420044 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:09.277507067 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:09.285253048 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:09.285254002 CEST	49722	443	192.168.2.6	23.216.73.151
Apr 18, 2024 11:17:09.285316944 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:09.285351038 CEST	443	49722	23.216.73.151	192.168.2.6
Apr 18, 2024 11:17:14.987158060 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:14.987202883 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:14.987267971 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:14.987839937 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:14.987855911 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:15.360783100 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:15.360909939 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:15.364161015 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:15.364172935 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:15.364526987 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:15.366539001 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:15.366595984 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:15.366601944 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:15.366714001 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:15.408133030 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:15.488514900 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:15.488621950 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:15.488684893 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:15.488847017 CEST	49726	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:15.488862991 CEST	443	49726	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:17.900119066 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:17.900177002 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:17.900301933 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:18.741308928 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:18.741348982 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:18.741632938 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:18.743225098 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:18.743242979 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:18.900646925 CEST	49718	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:17:18.900677919 CEST	443	49718	64.233.176.99	192.168.2.6
Apr 18, 2024 11:17:19.341969013 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:19.342062950 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:19.346693993 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:19.346713066 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:19.347064018 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:19.397599936 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:19.820409060 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:19.868020058 CEST	49706	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:19.868105888 CEST	49706	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:19.868124962 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:19.869453907 CEST	49735	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:19.869494915 CEST	443	49735	173.222.162.64	192.168.2.6
Apr 18, 2024 11:17:19.869565010 CEST	49735	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:19.869785070 CEST	49735	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:19.869792938 CEST	443	49735	173.222.162.64	192.168.2.6
Apr 18, 2024 11:17:20.020211935 CEST	443	49706	173.222.162.64	192.168.2.6
Apr 18, 2024 11:17:20.020241976 CEST	443	49706	173.222.162.64	192.168.2.6
Apr 18, 2024 11:17:20.185982943 CEST	443	49735	173.222.162.64	192.168.2.6
Apr 18, 2024 11:17:20.186049938 CEST	49735	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:20.212999105 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213025093 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213036060 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213059902 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213078022 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213085890 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213088989 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:20.213109970 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213134050 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:20.213145018 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213157892 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:20.213161945 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213217020 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:20.213221073 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213232994 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.213263988 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:20.224883080 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:20.224925995 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:20.224944115 CEST	49733	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:20.224951982 CEST	443	49733	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:25.128911018 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.128938913 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.128998995 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.129549026 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.129563093 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.291935921 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.291966915 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.292082071 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.292259932 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.292268991 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.500493050 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.500585079 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.503556967 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.503570080 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.503817081 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.505544901 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.505611897 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.505616903 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.505878925 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.552114964 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.626904011 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.626983881 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.627043009 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.627217054 CEST	49737	443	192.168.2.6	52.159.127.243
Apr 18, 2024 11:17:25.627233028 CEST	443	49737	52.159.127.243	192.168.2.6
Apr 18, 2024 11:17:25.689589024 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.689671993 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.704988003 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.704999924 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.705241919 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.705907106 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.705969095 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.705987930 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.992331028 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.992355108 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.992397070 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.992440939 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.992453098 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.992481947 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.992516041 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.992639065 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.992914915 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.992927074 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:25.992938042 CEST	49738	443	192.168.2.6	40.126.29.9
Apr 18, 2024 11:17:25.992943048 CEST	443	49738	40.126.29.9	192.168.2.6
Apr 18, 2024 11:17:26.146650076 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.146687031 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.146807909 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.155086040 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.155103922 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.477226019 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.477307081 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.477881908 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.477987051 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.561080933 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.561101913 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.561394930 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.561463118 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.566760063 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.566787958 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.801142931 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.801199913 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.801222086 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.801261902 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.801282883 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.801311970 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.801318884 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.801352024 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:26.801400900 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.837745905 CEST	49739	443	192.168.2.6	204.79.197.200
Apr 18, 2024 11:17:26.837790012 CEST	443	49739	204.79.197.200	192.168.2.6
Apr 18, 2024 11:17:38.629215002 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:38.629261017 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:38.629723072 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:38.631279945 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:38.631293058 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.003861904 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.003940105 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:39.007807970 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:39.007833004 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.008055925 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.011104107 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:39.011580944 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:39.011589050 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.011945963 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:39.056118011 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.133435965 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.133652925 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.133760929 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:39.134119034 CEST	49740	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:39.134130001 CEST	443	49740	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:39.334305048 CEST	443	49735	173.222.162.64	192.168.2.6
Apr 18, 2024 11:17:39.334397078 CEST	49735	443	192.168.2.6	173.222.162.64
Apr 18, 2024 11:17:56.902801991 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:56.902853966 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:56.902925014 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:56.904010057 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:56.904020071 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:57.495610952 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:57.495682955 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:57.497553110 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:57.497564077 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:57.497778893 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:57.507658005 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:57.552154064 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:58.077873945 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:58.077892065 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:58.077904940 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:58.077991962 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:58.078016043 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:58.078037977 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:58.078084946 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:58.087675095 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:58.087723017 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:58.087753057 CEST	49741	443	192.168.2.6	40.127.169.103
Apr 18, 2024 11:17:58.087768078 CEST	443	49741	40.127.169.103	192.168.2.6
Apr 18, 2024 11:17:58.770252943 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:58.770306110 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:58.770951986 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:58.770951986 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:58.770984888 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:59.140558958 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:59.140748024 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:59.143594980 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:59.143610001 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:59.143856049 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:59.145294905 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:59.146255016 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:59.146255016 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:59.146262884 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:59.188107014 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:59.267584085 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:59.267671108 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:17:59.267772913 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:59.268141031 CEST	49742	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:17:59.268160105 CEST	443	49742	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:07.619609118 CEST	49744	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:18:07.619632959 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:07.619745016 CEST	49744	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:18:07.619976044 CEST	49744	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:18:07.619986057 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:07.832397938 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:07.832918882 CEST	49744	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:18:07.832928896 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:07.833257914 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:07.834645033 CEST	49744	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:18:07.834706068 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:07.883836031 CEST	49744	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:18:17.840632915 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:17.840713024 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:17.840771914 CEST	49744	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:18:17.949867010 CEST	49744	443	192.168.2.6	64.233.176.99
Apr 18, 2024 11:18:17.949896097 CEST	443	49744	64.233.176.99	192.168.2.6
Apr 18, 2024 11:18:25.767187119 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:25.767219067 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:25.767334938 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:25.767987013 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:25.767997980 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:26.144292116 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:26.144361973 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:26.154052019 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:26.154062033 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:26.154364109 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:26.158775091 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:26.158996105 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:26.159001112 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:26.159235954 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:26.204118967 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:26.280273914 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:26.280360937 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:26.280406952 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:26.293407917 CEST	49746	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:26.293430090 CEST	443	49746	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:56.813342094 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:56.813383102 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:56.813447952 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:56.814045906 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:56.814064026 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.195687056 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.195785999 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:57.199404955 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:57.199434996 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.200280905 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.201853991 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:57.201920033 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:57.201936960 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.202110052 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:57.248114109 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.323726892 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.323977947 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.324201107 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:57.324316025 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:18:57.324362993 CEST	443	49748	20.25.241.18	192.168.2.6
Apr 18, 2024 11:18:57.324398994 CEST	49748	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:32.719819069 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:32.719856024 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:32.720077038 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:32.720621109 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:32.720638037 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:33.095029116 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:33.095102072 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:33.101290941 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:33.101309061 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:33.101567030 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:33.106904030 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:33.107165098 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:33.107172966 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:33.107547045 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:33.148122072 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:33.228954077 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:33.229038954 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:19:33.229114056 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:33.229661942 CEST	49749	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:19:33.229688883 CEST	443	49749	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.473467112 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.473556995 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.473642111 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.474217892 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.474250078 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.844197035 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.844361067 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.846607924 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.846637011 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.846898079 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.848640919 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.848699093 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.848710060 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.848849058 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.892115116 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.969966888 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.970053911 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.970499992 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.970499992 CEST	49750	443	192.168.2.6	20.25.241.18
Apr 18, 2024 11:20:09.970593929 CEST	443	49750	20.25.241.18	192.168.2.6
Apr 18, 2024 11:20:09.970633984 CEST	49750	443	192.168.2.6	20.25.241.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:17:03.200082064 CEST	53	63390	1.1.1.1	192.168.2.6
Apr 18, 2024 11:17:03.208298922 CEST	53	63872	1.1.1.1	192.168.2.6
Apr 18, 2024 11:17:03.968281984 CEST	53	57648	1.1.1.1	192.168.2.6
Apr 18, 2024 11:17:07.557563066 CEST	50191	53	192.168.2.6	1.1.1.1
Apr 18, 2024 11:17:07.557764053 CEST	59553	53	192.168.2.6	1.1.1.1
Apr 18, 2024 11:17:07.630060911 CEST	53	64604	1.1.1.1	192.168.2.6
Apr 18, 2024 11:17:07.662066936 CEST	53	59553	1.1.1.1	192.168.2.6
Apr 18, 2024 11:17:07.662111044 CEST	53	50191	1.1.1.1	192.168.2.6
Apr 18, 2024 11:17:21.047171116 CEST	53	54817	1.1.1.1	192.168.2.6
Apr 18, 2024 11:17:40.235987902 CEST	53	62685	1.1.1.1	192.168.2.6
Apr 18, 2024 11:18:03.022933960 CEST	53	51088	1.1.1.1	192.168.2.6
Apr 18, 2024 11:18:03.106894016 CEST	53	65383	1.1.1.1	192.168.2.6
Apr 18, 2024 11:18:31.847883940 CEST	53	53948	1.1.1.1	192.168.2.6
Apr 18, 2024 11:19:16.647685051 CEST	53	62309	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 11:17:07.557563066 CEST	192.168.2.6	1.1.1.1	0x4591	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:17:07.557764053 CEST	192.168.2.6	1.1.1.1	0xb5e1	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 11:17:07.662066936 CEST	1.1.1.1	192.168.2.6	0xb5e1	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 18, 2024 11:17:07.662111044 CEST	1.1.1.1	192.168.2.6	0x4591	No error (0)	www.google.com	64.233.176.99	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:17:07.662111044 CEST	1.1.1.1	192.168.2.6	0x4591	No error (0)	www.google.com	64.233.176.147	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:17:07.662111044 CEST	1.1.1.1	192.168.2.6	0x4591	No error (0)	www.google.com	64.233.176.105	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:17:07.662111044 CEST	1.1.1.1	192.168.2.6	0x4591	No error (0)	www.google.com	64.233.176.103	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:17:07.662111044 CEST	1.1.1.1	192.168.2.6	0x4591	No error (0)	www.google.com	64.233.176.106	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:17:07.662111044 CEST	1.1.1.1	192.168.2.6	0x4591	No error (0)	www.google.com	64.233.176.104	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

www.bing.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49720	52.159.127.243	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:08 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 45 74 7a 61 42 50 4b 56 37 45 47 6f 63 70 51 4d 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 34 37 63 39 63 37 62 61 66 65 63 39 66 39 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: EtzaBPKV7EGocpQM.1Context: 247c9c7bafec9f9e
2024-04-18 09:17:08 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:17:08 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 45 74 7a 61 42 50 4b 56 37 45 47 6f 63 70 51 4d 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 34 37 63 39 63 37 62 61 66 65 63 39 66 39 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: EtzaBPKV7EGocpQM.2Context: 247c9c7bafec9f9e<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:17:08 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 45 74 7a 61 42 50 4b 56 37 45 47 6f 63 70 51 4d 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 34 37 63 39 63 37 62 61 66 65 63 39 66 39 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: EtzaBPKV7EGocpQM.3Context: 247c9c7bafec9f9e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:17:08 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:17:08 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 74 2f 51 59 68 6a 78 79 52 45 43 75 6f 30 76 7a 70 6e 2f 52 6f 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: t/QYhjxyRECuo0vzpn/RoA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49721	23.216.73.151	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:08 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-18 09:17:08 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=251181 Date: Thu, 18 Apr 2024 09:17:08 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49722	23.216.73.151	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:09 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-18 09:17:09 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0DZ+oYgAAAABSxwJpMgMuSLkfS640ajfFQVRBRURHRTEyMTkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=251142 Date: Thu, 18 Apr 2024 09:17:09 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-18 09:17:09 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	49726	52.159.127.243	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:15 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 45 43 39 63 6a 72 74 37 49 45 43 6b 2b 34 30 46 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 36 33 33 35 34 65 64 35 31 31 35 30 65 39 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: EC9cjrt7IECk+40F.1Context: 263354ed51150e92
2024-04-18 09:17:15 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:17:15 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 45 43 39 63 6a 72 74 37 49 45 43 6b 2b 34 30 46 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 36 33 33 35 34 65 64 35 31 31 35 30 65 39 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: EC9cjrt7IECk+40F.2Context: 263354ed51150e92<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:17:15 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 45 43 39 63 6a 72 74 37 49 45 43 6b 2b 34 30 46 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 36 33 33 35 34 65 64 35 31 31 35 30 65 39 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: EC9cjrt7IECk+40F.3Context: 263354ed51150e92<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:17:15 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:17:15 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 36 57 74 30 53 56 4b 53 35 6b 36 48 69 72 72 47 67 54 48 48 72 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 6Wt0SVKS5k6HirrGgTHHrg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49733	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:19 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=8ZygSYb+E9LZ41W&MD=MbLbDFfe HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-18 09:17:20 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 261ab622-21bc-4262-ab25-5fdcb55665fb MS-RequestId: 62618483-51a1-4601-a988-84e1831df880 MS-CV: cVrw3vS8BUO8MA2m.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 18 Apr 2024 09:17:19 GMT Connection: close Content-Length: 24490
2024-04-18 09:17:20 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-18 09:17:20 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	49737	52.159.127.243	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:25 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4f 6c 51 34 54 64 46 47 61 45 2b 63 34 6b 47 38 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 64 39 63 31 32 38 37 31 63 30 37 66 63 33 31 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: OlQ4TdFGaE+c4kG8.1Context: bd9c12871c07fc31
2024-04-18 09:17:25 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:17:25 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 4f 6c 51 34 54 64 46 47 61 45 2b 63 34 6b 47 38 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 64 39 63 31 32 38 37 31 63 30 37 66 63 33 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: OlQ4TdFGaE+c4kG8.2Context: bd9c12871c07fc31<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:17:25 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4f 6c 51 34 54 64 46 47 61 45 2b 63 34 6b 47 38 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 64 39 63 31 32 38 37 31 63 30 37 66 63 33 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: OlQ4TdFGaE+c4kG8.3Context: bd9c12871c07fc31<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:17:25 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:17:25 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 57 76 73 67 34 68 67 47 51 45 53 70 4a 75 34 69 46 62 6a 6c 4a 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Wvsg4hgGQESpJu4iFbjlJg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.6	49738	40.126.29.9	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:25 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4788 Host: login.live.com
2024-04-18 09:17:25 UTC	4788	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-04-18 09:17:25 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 18 Apr 2024 09:16:25 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C558_SN1 x-ms-request-id: 513185ad-e494-4300-a94b-0f910a51610c PPServer: PPV: 30 H: SN1PEPF0002FA74 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 18 Apr 2024 09:17:25 GMT Connection: close Content-Length: 11153
2024-04-18 09:17:25 UTC	11153	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49739	204.79.197.200	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:26 UTC	2686	OUT	GET /client/config?cc=CH&setlang=en-CH HTTP/1.1 X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate Accept-Encoding: gzip, deflate X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-UserAgeClass: Unknown X-BM-Market: CH X-BM-DateFormat: dd/MM/yyyy X-Device-OSSKU: 48 X-BM-DTZ: 120 X-DeviceID: 01000A410900C4F3 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-BM-Theme: 000000;0078d7 X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAATwdX/XGkOieJ3azlI5pjHSWR29bpBxciZCgYKIaVI6SOAus4HXTolF%2BUwDpdd/QKtfDCPU15YDGM2POeP2tCNtfBMGqTxWDBKxzQ9mCOEpHF37s0zz0wxFWwutY%2BU3A989FiwPfmoWnXchUzX4HazcgPWknHYXH6CUoTOMZ86yJ9pQcd07yqZVVwT%2Bpc3olUhDEmTMB%2BHWWuYT7hTOBkpt4EsWGmBIPSFHU07omOf%2BAAXM0ejIjGFS9B3gWRMbqaVk7BpUwEbSmaPcEBonIZ6extyZBqS5zPsm8HyiJ/nKfF%2BjBagkQDz3VIGz0Fu78F6CcENujCJuietvZiWrw808DZgAACHfBmPj%2B2SE2qAFAQPOHqSwXSo4D2tU1iFuMTj/J5w5wGGsnFNnYeUQD7YopsLZejSF7phmGb3xs3K6oqxMO8xPaCVKcgzLlMCmeYkScxwu7Mf6IKPOgIuBIhwyGjw5%2B9l9OXYRKJaR4P410JAYYr8ASNpeGhpbnGWGi4clP%2B4Wp8zuvUWvMY0ovxFHqeJ1x%2Bcm2Y3H5kxeYqEnxpSRoioZD5WudE2SWRbpFTUgtj%2Btisf2UDUNFeQcqYH5N/TmIDlcN%2BMm9cH2HyWYj9TNSvbOd7upIlNsZAfx8pvB4R3TauTSH/W5jhVus%2BUMUGjEjnfSkn5QlpkZOS17K614dpIYxvMMah3zzikDmbrljKwyCoFZ5d6J8UrHJAXz/UIzn/aZsH8ZCfM0PLR4bVZr8l%2BJQ9WztMdvAgd%2BYvmWae0BRojEf1KVm8XxutA0CSTrvKkXllkWPwbWDWiwu0iKIU0B4Dq9Kt2zg5N/Wn%2BqvJ3ci5WKpuICMzCKiZpzF09FBZzb/iMDLB0m/miE9jWSB6KPEDxDSVV8emhXssvgiuS83Xu1CkJIvvyR6ZTuAbgW7EOwY2AE%3D%26p%3D X-Agent-DeviceId: 01000A410900C4F3 X-BM-CBT: 1713431843 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 X-Device-isOptin: false Accept-language: en-GB, en, en-US X-Device-Touch: false X-Device-ClientSession: 4707AE76704648C1BD97EEC7199EEC7F X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI Host: www.bing.com Connection: Keep-Alive Cookie: SRCHUID=V=2&GUID=CE2BE0509FF742BD822F50D98AD10391&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&HV=1696488191&IPMH=5767d621&IPMID=1696488252989&LUT=1696487541024; CortanaAppUID=2020E25DAB158E420BA06F1C8DEF7959; MUID=81C61E09498D41CC97CDBBA354824ED1; MUIDB=81C61E09498D41CC97CDBBA354824ED1
2024-04-18 09:17:26 UTC	1463	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 2215 Content-Type: application/json; charset=utf-8 P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND" Set-Cookie: _EDGE_S=SID=0D9849C6B97A6CFB29665DA3B8AC6D3A&mkt=de-ch; domain=.bing.com; path=/; HttpOnly Set-Cookie: MUIDB=81C61E09498D41CC97CDBBA354824ED1; expires=Tue, 13-May-2025 09:17:26 GMT; path=/; HttpOnly Set-Cookie: ANON=A=651E3E5B4F798969B7590F90FFFFFFFF; domain=.bing.com; expires=Tue, 13-May-2025 09:17:26 GMT; path=/; secure; SameSite=None Set-Cookie: WLS=C=0000000000000000&N=; domain=.bing.com; path=/; secure; SameSite=None Set-Cookie: _SS=SID=0D9849C6B97A6CFB29665DA3B8AC6D3A; domain=.bing.com; path=/; secure; SameSite=None X-EventID: 6620e5265d0b473d9b6fb4a2b11e9c77 UserAgentReductionOptOut: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0= X-XSS-Protection: 0 X-Cache: CONFIG_NOCACHE Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 17E577618A13470BB41C4BA6952D6253 Ref B: ATL331000107049 Ref C: 2024-04-18T09:17:26Z Date: Thu, 18 Apr 2024 09:17:26 GMT Connection: close
2024-04-18 09:17:26 UTC	193	IN	Data Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 31 2c 22 63 6f 6e 66 69 67 22 3a 7b 22 46 65 61 74 75 72 65 43 6f 6e 66 69 67 22 3a 7b 22 53 65 61 72 63 68 42 6f 78 49 62 65 61 6d 50 6f 69 6e 74 65 72 4f 6e 48 6f 76 65 72 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 68 6f 77 53 65 61 72 63 68 47 6c 79 70 68 4c 65 66 74 4f 66 53 65 61 72 63 68 42 6f 78 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 6f 78 55 73 65 53 65 61 72 63 68 49 63 6f 6e 41 74 52 65 73 74 22 3a 7b 22 Data Ascii: {"version":1,"config":{"FeatureConfig":{"SearchBoxIbeamPointerOnHover":{"value":true,"feature":""},"ShowSearchGlyphLeftOfSearchBox":{"value":true,"feature":""},"SearchBoxUseSearchIconAtRest":{"
2024-04-18 09:17:26 UTC	2022	IN	Data Raw: 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 75 74 74 6f 6e 55 73 65 53 65 61 72 63 68 49 63 6f 6e 22 3a 7b 22 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 68 6f 77 53 75 62 6d 69 74 42 75 74 74 6f 6e 52 69 67 68 74 4f 66 53 65 61 72 63 68 42 6f 78 22 3a 7b 22 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 43 6c 6f 75 64 4d 75 73 69 63 22 3a 7b 22 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 43 6c 6f 75 64 41 67 65 6e 74 5f 47 6c 6f 62 61 6c 53 68 65 6c 6c 22 3a 7b 22 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 43 6c 6f 75 64 41 67 65 6e 74 Data Ascii: value":false,"feature":""},"SearchButtonUseSearchIcon":{"value":false,"feature":""},"ShowSubmitButtonRightOfSearchBox":{"value":false,"feature":""},"CloudMusic":{"value":false,"feature":""},"CloudAgent_GlobalShell":{"value":false,"feature":""},"CloudAgent

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.6	49740	20.25.241.18	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:39 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4f 36 6f 34 7a 58 65 44 6f 55 57 36 55 73 72 52 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 64 63 39 34 33 62 33 64 36 31 35 38 64 32 61 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: O6o4zXeDoUW6UsrR.1Context: 9dc943b3d6158d2a
2024-04-18 09:17:39 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:17:39 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 4f 36 6f 34 7a 58 65 44 6f 55 57 36 55 73 72 52 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 64 63 39 34 33 62 33 64 36 31 35 38 64 32 61 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: O6o4zXeDoUW6UsrR.2Context: 9dc943b3d6158d2a<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:17:39 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4f 36 6f 34 7a 58 65 44 6f 55 57 36 55 73 72 52 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 64 63 39 34 33 62 33 64 36 31 35 38 64 32 61 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: O6o4zXeDoUW6UsrR.3Context: 9dc943b3d6158d2a<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:17:39 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:17:39 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 46 31 70 65 73 67 6a 45 46 55 65 45 46 39 71 2b 38 6d 5a 66 74 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: F1pesgjEFUeEF9q+8mZftA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49741	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:57 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=8ZygSYb+E9LZ41W&MD=MbLbDFfe HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-18 09:17:58 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: a58816a3-0b96-48d6-8c83-4d2dac759376 MS-RequestId: 43aec39c-e372-4ca3-b544-0f7350af5c4f MS-CV: BoXVmJUB1k2gc98X.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 18 Apr 2024 09:17:56 GMT Connection: close Content-Length: 25457
2024-04-18 09:17:58 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-18 09:17:58 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.6	49742	20.25.241.18	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:17:59 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 38 57 38 50 44 56 51 7a 47 55 43 7a 66 5a 62 50 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 30 63 63 32 32 37 64 39 35 32 35 34 34 37 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 8W8PDVQzGUCzfZbP.1Context: a0cc227d9525447b
2024-04-18 09:17:59 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:17:59 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 38 57 38 50 44 56 51 7a 47 55 43 7a 66 5a 62 50 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 30 63 63 32 32 37 64 39 35 32 35 34 34 37 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: 8W8PDVQzGUCzfZbP.2Context: a0cc227d9525447b<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:17:59 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 38 57 38 50 44 56 51 7a 47 55 43 7a 66 5a 62 50 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 30 63 63 32 32 37 64 39 35 32 35 34 34 37 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 8W8PDVQzGUCzfZbP.3Context: a0cc227d9525447b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:17:59 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:17:59 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 73 6b 38 32 31 30 5a 39 57 45 47 48 51 35 78 46 6c 63 4e 49 41 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: sk8210Z9WEGHQ5xFlcNIAg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.6	49746	20.25.241.18	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:18:26 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 57 4c 4c 6b 38 62 51 42 7a 55 53 58 64 59 50 57 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 37 66 33 66 39 62 62 32 31 38 38 61 37 33 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: WLLk8bQBzUSXdYPW.1Context: b7f3f9bb2188a739
2024-04-18 09:18:26 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:18:26 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 57 4c 4c 6b 38 62 51 42 7a 55 53 58 64 59 50 57 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 37 66 33 66 39 62 62 32 31 38 38 61 37 33 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: WLLk8bQBzUSXdYPW.2Context: b7f3f9bb2188a739<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:18:26 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 57 4c 4c 6b 38 62 51 42 7a 55 53 58 64 59 50 57 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 37 66 33 66 39 62 62 32 31 38 38 61 37 33 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: WLLk8bQBzUSXdYPW.3Context: b7f3f9bb2188a739<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:18:26 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:18:26 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 76 70 44 36 4c 33 58 58 6a 6b 57 63 70 52 2b 7a 34 36 53 35 73 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: vpD6L3XXjkWcpR+z46S5sA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.6	49748	20.25.241.18	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:18:57 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 66 39 33 63 58 75 79 4c 6a 55 65 72 67 48 6c 64 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 39 31 36 36 64 65 37 64 36 64 34 62 61 63 34 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: f93cXuyLjUergHld.1Context: 39166de7d6d4bac4
2024-04-18 09:18:57 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:18:57 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 66 39 33 63 58 75 79 4c 6a 55 65 72 67 48 6c 64 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 39 31 36 36 64 65 37 64 36 64 34 62 61 63 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: f93cXuyLjUergHld.2Context: 39166de7d6d4bac4<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:18:57 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 66 39 33 63 58 75 79 4c 6a 55 65 72 67 48 6c 64 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 39 31 36 36 64 65 37 64 36 64 34 62 61 63 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: f93cXuyLjUergHld.3Context: 39166de7d6d4bac4<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:18:57 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:18:57 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 32 42 42 57 45 6b 4b 75 31 55 36 6e 62 4b 6e 33 77 38 4d 34 69 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 2BBWEkKu1U6nbKn3w8M4iw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.6	49749	20.25.241.18	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:19:33 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 34 68 56 57 31 52 39 4d 6b 6b 47 58 32 75 6d 73 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 64 34 31 62 64 33 36 33 30 39 66 65 34 61 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 4hVW1R9MkkGX2ums.1Context: 9d41bd36309fe4a8
2024-04-18 09:19:33 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:19:33 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 34 68 56 57 31 52 39 4d 6b 6b 47 58 32 75 6d 73 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 64 34 31 62 64 33 36 33 30 39 66 65 34 61 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: 4hVW1R9MkkGX2ums.2Context: 9d41bd36309fe4a8<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:19:33 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 34 68 56 57 31 52 39 4d 6b 6b 47 58 32 75 6d 73 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 64 34 31 62 64 33 36 33 30 39 66 65 34 61 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 4hVW1R9MkkGX2ums.3Context: 9d41bd36309fe4a8<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:19:33 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:19:33 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 30 63 71 36 67 2f 62 2f 43 45 4b 76 52 46 57 6f 78 63 35 61 52 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 0cq6g/b/CEKvRFWoxc5aRQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.6	49750	20.25.241.18	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:20:09 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 43 47 50 76 73 77 33 50 69 55 36 77 61 51 61 70 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 35 38 33 35 66 36 38 38 33 30 39 34 62 38 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: CGPvsw3PiU6waQap.1Context: d5835f6883094b86
2024-04-18 09:20:09 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-04-18 09:20:09 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 43 47 50 76 73 77 33 50 69 55 36 77 61 51 61 70 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 35 38 33 35 66 36 38 38 33 30 39 34 62 38 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 75 6d 4b 52 79 4a 6a 64 35 71 4a 5a 70 73 74 62 50 57 31 6d 6f 69 32 45 54 4c 63 59 6d 67 4d 51 49 2f 76 68 41 77 62 48 57 61 76 61 45 6a 49 6f 45 2f 56 39 63 5a 53 58 49 55 50 59 4b 76 4c 59 46 6e 74 47 38 4a 57 58 4d 2b 76 52 2b 50 4d 67 63 4f 58 61 55 2f 53 53 67 4f 61 54 6e 36 74 43 33 46 48 70 77 4b 4a 2f 75 41 38 33 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: CGPvsw3PiU6waQap.2Context: d5835f6883094b86<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAdumKRyJjd5qJZpstbPW1moi2ETLcYmgMQI/vhAwbHWavaEjIoE/V9cZSXIUPYKvLYFntG8JWXM+vR+PMgcOXaU/SSgOaTn6tC3FHpwKJ/uA83
2024-04-18 09:20:09 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 43 47 50 76 73 77 33 50 69 55 36 77 61 51 61 70 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 35 38 33 35 66 36 38 38 33 30 39 34 62 38 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: CGPvsw3PiU6waQap.3Context: d5835f6883094b86<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-04-18 09:20:09 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-04-18 09:20:09 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 75 6e 55 61 6c 65 32 4b 6e 6b 57 32 74 2f 71 2f 63 35 43 51 4b 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: unUale2KnkW2t/q/c5CQKQ.0Payload parsing failed.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 6932, Parent PID: 5884

General

Target ID:	0
Start time:	11:16:56
Start date:	18/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\product1122.html"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6524, Parent PID: 6932

General

Target ID:	2
Start time:	11:17:01
Start date:	18/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2200,i,12531877602374010323,3505977888523723621,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 2924, Parent PID: 6932

General

Target ID:	3
Start time:	11:17:02
Start date:	18/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5072 --field-trial-handle=2200,i,12531877602374010323,3505977888523723621,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report product1122.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Downloads\Unconfirmed 163765.crdownload (copy)

C:\Users\user\Downloads\Unconfirmed 462822.crdownload (copy)

C:\Users\user\Downloads\c46b6438-bd12-465d-b351-51dc91ef4986.tmp

C:\Users\user\Downloads\d384f462-4692-49be-a501-11ea5575a036.tmp

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6932, Parent PID: 5884

General

Chronological Activities

Analysis Process: chrome.exePID: 6524, Parent PID: 6932

General

Chronological Activities

Analysis Process: chrome.exePID: 2924, Parent PID: 6932

Windows Analysis Report
product1122.html