Edit tour

Windows Analysis Report
https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87

Overview

General Information

Sample URL:	https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87
Analysis ID:	1430842
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5348 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4960 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1948,i,12169517073971635681,17797137799426098641,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: https://iap.willistowerswatson.com/CookiePolicy/?language=en-us&survey=782431729	HTTP Parser: No favicon
Source: https://iap.willistowerswatson.com/CookiePolicy/?language=en-us&survey=782431729	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 23.206.6.29:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.206.6.29:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.6.29
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.234.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.234.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.234.57
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: chromecache_61.2.dr	String found in binary or memory: https://ei-prod-survey-cdn.azureedge.net/en-us/main.c267847677a42716.js
Source: chromecache_61.2.dr	String found in binary or memory: https://ei-prod-survey-cdn.azureedge.net/en-us/polyfills.aa6fdd30094ab9f5.js
Source: chromecache_61.2.dr	String found in binary or memory: https://ei-prod-survey-cdn.azureedge.net/en-us/runtime.fe1c70792f57c294.js
Source: chromecache_61.2.dr	String found in binary or memory: https://ei-prod-survey-cdn.azureedge.net/en-us/scripts.23a2834ff88a7136.js
Source: chromecache_59.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: chromecache_59.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1948,i,12169517073971635681,17797137799426098641,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1948,i,12169517073971635681,17797137799426098641,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87	0%	Avira URL Cloud	safe
https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
www.google.com	142.250.141.147	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown
iap.willistowerswatson.com	unknown	unknown	false	high
survey.willistowerswatson.com	unknown	unknown	false	high

Name	Source	Malicious	Antivirus Detection	Reputation
https://getbootstrap.com/)	chromecache_59.2.dr	false		high
https://github.com/twbs/bootstrap/blob/main/LICENSE)	chromecache_59.2.dr	false		high

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.141.147	www.google.com	United States		15169	GOOGLEUS	false

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430842
Start date and time:	2024-04-24 09:49:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@19/24@10/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Browse: https://iap.willistowerswatson.com/CookiePolicy/?language=en-us&survey=782431729 Browse: https://iap.willistowerswatson.com/CookiePolicy/?language=en-us&survey=782431729 Browse: https://iap.willistowerswatson.com/CookiePolicy?language=en-us&survey=782431729

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	downloaded
Size (bytes):	46
Entropy (8bit):	4.367882402606357
Encrypted:	false
SSDEEP:	3:YDjwHNkKA2WxiHY:YQ2fi4
MD5:	6C83E583C751A6D0B48099EFF6236C71
SHA1:	03953214C2388C42B908FE673621F23073D84745
SHA-256:	58412ED991037617BD323AA799756638A8EA3BEEE272F0831B83CF63EB6F7ACD
SHA-512:	ADE752C9CD3A7C75AD51E6228D95230E94E84E5FEB132E7E46BDF2E1D15C66B59EEE13523F091678812C2CEDA386098B0C9E5BF1E95BA87386AD76FCFAF13791
Malicious:	false
Reputation:	low
URL:	https://survey.willistowerswatson.com/api/featureToggle/OSA-Redesign
Preview:	{"featureKey":"OSA-Redesign","isEnabled":true}

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (63844)
Category:	downloaded
Size (bytes):	588007
Entropy (8bit):	5.681855331237248
Encrypted:	false
SSDEEP:	12288:dAPuCsjc4atGWlqa4KVb4FoMNxQokFlT/UekBfDH8EYkQ0KzxxaE5XxR:CPuCsjc4atGWlqa4dekBfDH8EY
MD5:	00D22797DB3947148F840F2287FB6E99
SHA1:	B5EB108DB85B644276250ADF4E6A518631C64D44
SHA-256:	4B1280048745A687AFC9FE626286D39EDF763F7FD33DCD7A088AEB220A98B0EC
SHA-512:	3630A587127042D9C912ED61AB1324B098B9B07C3150DC1DD372E261086F19A3086F2BA4F4EDC4C0C84C7960CF471B27959426F45E3A3B995DB059CD141E1F10
Malicious:	false
Reputation:	low
URL:	https://ei-prod-survey-cdn.azureedge.net/en-us/main.c267847677a42716.js
Preview:	globalThis.$localize=Object.assign(globalThis.$localize \|\| {},{locale:"en-US"});."use strict";(function(global){global.ng=global.ng\|\|{};global.ng.common=global.ng.common\|\|{};global.ng.common.locales=global.ng.common.locales\|\|{};const u=undefined;function plural(val){const n=val,i=Math.floor(Math.abs(val)),v=val.toString().replace(/^[^.]*\.?/,"").length;if(i===1&&v===0)return 1;return 5}global.ng.common.locales["en"]=["en",[["a","p"],["AM","PM"],u],[["AM","PM"],u,u],[["S","M","T","W","T","F","S"],["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],["Su","Mo","Tu","We","Th","Fr","Sa"]],u,[["J","F","M","A","M","J","J","A","S","O","N","D"],["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"],["January","February","March","April","May","June","July","August","September","October","November","December"]],u,[["B","A"],["BC","AD"],["Before Christ","Anno Domini"]],0,[6,0],["M/d/yy","MMM d, y","MMMM d, y","EEEE

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 09:50:10.279453039 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 24, 2024 09:50:19.882517099 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 24, 2024 09:50:24.205848932 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:24.205898046 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:24.205971003 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:24.206799984 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:24.206818104 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:24.572853088 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:24.578860044 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:24.578896046 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:24.580466032 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:24.580497980 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:24.580717087 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:24.580718040 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:24.580785990 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:24.583600998 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:24.583614111 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:24.585186005 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:24.585288048 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:24.637258053 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:24.637290001 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:24.685888052 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:24.941380024 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:24.941454887 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:24.949652910 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:24.949677944 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:24.950062037 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:24.997770071 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.072546959 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.120117903 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.278491974 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.278654099 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.278729916 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.279443026 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.279459000 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.279474020 CEST	49743	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.279479980 CEST	443	49743	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.314270020 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.314301968 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.314376116 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.314675093 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.314686060 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.658659935 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.658727884 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.660028934 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.660047054 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.660295963 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.661587954 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:25.704121113 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.996968031 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.997049093 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:25.997128963 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:26.000276089 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:26.000303030 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:26.000319004 CEST	49745	443	192.168.2.4	23.206.6.29
Apr 24, 2024 09:50:26.000325918 CEST	443	49745	23.206.6.29	192.168.2.4
Apr 24, 2024 09:50:32.744743109 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 24, 2024 09:50:32.744791031 CEST	443	49672	173.222.162.32	192.168.2.4
Apr 24, 2024 09:50:34.592168093 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:34.592250109 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:50:34.592308044 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:36.051563025 CEST	49742	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:50:36.051630974 CEST	443	49742	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:24.125493050 CEST	49851	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:51:24.125531912 CEST	443	49851	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:24.125679016 CEST	49851	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:51:24.125965118 CEST	49851	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:51:24.125983000 CEST	443	49851	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:24.485517979 CEST	443	49851	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:24.486105919 CEST	49851	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:51:24.486119032 CEST	443	49851	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:24.487288952 CEST	443	49851	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:24.488251925 CEST	49851	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:51:24.488342047 CEST	443	49851	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:24.537039042 CEST	49851	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:51:27.032285929 CEST	49723	80	192.168.2.4	23.1.234.24
Apr 24, 2024 09:51:27.032668114 CEST	49724	80	192.168.2.4	23.1.234.57
Apr 24, 2024 09:51:27.192171097 CEST	80	49723	23.1.234.24	192.168.2.4
Apr 24, 2024 09:51:27.192244053 CEST	49723	80	192.168.2.4	23.1.234.24
Apr 24, 2024 09:51:27.192248106 CEST	80	49724	23.1.234.57	192.168.2.4
Apr 24, 2024 09:51:27.192321062 CEST	49724	80	192.168.2.4	23.1.234.57
Apr 24, 2024 09:51:34.510663986 CEST	443	49851	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:34.510835886 CEST	443	49851	142.250.141.147	192.168.2.4
Apr 24, 2024 09:51:34.510922909 CEST	49851	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:51:36.032052994 CEST	49851	443	192.168.2.4	142.250.141.147
Apr 24, 2024 09:51:36.032073975 CEST	443	49851	142.250.141.147	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 09:50:19.917504072 CEST	53	51931	1.1.1.1	192.168.2.4
Apr 24, 2024 09:50:19.920912981 CEST	53	62917	1.1.1.1	192.168.2.4
Apr 24, 2024 09:50:20.892600060 CEST	53	59426	1.1.1.1	192.168.2.4
Apr 24, 2024 09:50:21.488931894 CEST	54545	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:21.490147114 CEST	52351	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:24.048964977 CEST	55944	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:24.049431086 CEST	63119	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:24.203651905 CEST	53	55944	1.1.1.1	192.168.2.4
Apr 24, 2024 09:50:24.203676939 CEST	53	63119	1.1.1.1	192.168.2.4
Apr 24, 2024 09:50:29.400866032 CEST	57286	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:29.401247978 CEST	55716	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:34.100037098 CEST	59973	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:34.100908995 CEST	60918	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:38.001147985 CEST	53	54338	1.1.1.1	192.168.2.4
Apr 24, 2024 09:50:38.622648954 CEST	138	138	192.168.2.4	192.168.2.255
Apr 24, 2024 09:50:40.667769909 CEST	52579	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:40.667896986 CEST	60894	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:50:58.012873888 CEST	53	65214	1.1.1.1	192.168.2.4
Apr 24, 2024 09:51:20.195646048 CEST	53	54176	1.1.1.1	192.168.2.4
Apr 24, 2024 09:51:22.743225098 CEST	53	62960	1.1.1.1	192.168.2.4

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 09:50:21.763746023 CEST	1.1.1.1	192.168.2.4	0x48e0	No error (0)	survey.willistowerswatson.com	prod-osa.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:21.764379025 CEST	1.1.1.1	192.168.2.4	0x3179	No error (0)	survey.willistowerswatson.com	prod-osa.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:24.203651905 CEST	1.1.1.1	192.168.2.4	0x82dc	No error (0)	www.google.com		142.250.141.147	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:24.203651905 CEST	1.1.1.1	192.168.2.4	0x82dc	No error (0)	www.google.com		142.250.141.106	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:24.203651905 CEST	1.1.1.1	192.168.2.4	0x82dc	No error (0)	www.google.com		142.250.141.105	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:24.203651905 CEST	1.1.1.1	192.168.2.4	0x82dc	No error (0)	www.google.com		142.250.141.104	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:24.203651905 CEST	1.1.1.1	192.168.2.4	0x82dc	No error (0)	www.google.com		142.250.141.99	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:24.203651905 CEST	1.1.1.1	192.168.2.4	0x82dc	No error (0)	www.google.com		142.250.141.103	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:24.203676939 CEST	1.1.1.1	192.168.2.4	0xb039	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 24, 2024 09:50:29.554582119 CEST	1.1.1.1	192.168.2.4	0x11fb	No error (0)	survey.willistowerswatson.com	prod-osa.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:29.554948092 CEST	1.1.1.1	192.168.2.4	0x5c5d	No error (0)	survey.willistowerswatson.com	prod-osa.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:34.322470903 CEST	1.1.1.1	192.168.2.4	0xd8ca	No error (0)	iap.willistowerswatson.com	prod-ees-app.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:34.322592974 CEST	1.1.1.1	192.168.2.4	0x89e7	No error (0)	iap.willistowerswatson.com	prod-ees-app.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:34.557518959 CEST	1.1.1.1	192.168.2.4	0x210c	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:34.557518959 CEST	1.1.1.1	192.168.2.4	0x210c	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:35.057710886 CEST	1.1.1.1	192.168.2.4	0xc89c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:35.057710886 CEST	1.1.1.1	192.168.2.4	0xc89c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:50:40.822000027 CEST	1.1.1.1	192.168.2.4	0x9983	No error (0)	iap.willistowerswatson.com	prod-ees-app.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:40.822022915 CEST	1.1.1.1	192.168.2.4	0x3cd4	No error (0)	iap.willistowerswatson.com	prod-ees-app.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:48.498091936 CEST	1.1.1.1	192.168.2.4	0x120a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:50:48.498091936 CEST	1.1.1.1	192.168.2.4	0x120a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:51:15.036391973 CEST	1.1.1.1	192.168.2.4	0xba15	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:51:15.036391973 CEST	1.1.1.1	192.168.2.4	0xba15	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:51:33.264127970 CEST	1.1.1.1	192.168.2.4	0x29b9	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 09:51:33.264127970 CEST	1.1.1.1	192.168.2.4	0x29b9	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-04-24 07:50:25 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-24 07:50:25 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (sac/2518) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=256403 Date: Wed, 24 Apr 2024 07:50:25 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-04-24 07:50:25 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-24 07:50:25 UTC	531	IN	HTTP/1.1 200 OK Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Content-Type: application/octet-stream ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0Fz4RYwAAAACZW8dCTzveR7lI76J6Z2l5U0pDRURHRTA1MTgAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=256396 Date: Wed, 24 Apr 2024 07:50:25 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-24 07:50:25 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Target ID:	0
Start time:	09:50:13
Start date:	24/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	09:50:17
Start date:	24/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1948,i,12169517073971635681,17797137799426098641,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	09:50:20
Start date:	24/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 56

Chrome Cache Entry: 57

Chrome Cache Entry: 58

Chrome Cache Entry: 59

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5348, Parent PID: 2764

Windows Analysis Report
https://survey.willistowerswatson.com/en-us/LandingPage/782431729/FB29458F-911B-4631-8FE8-12B4B471D480/8C20C87D87

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre