Edit tour

Windows Analysis Report
http://fivemanchool.com/

Overview

General Information

Sample URL:	http://fivemanchool.com/
Analysis ID:	1431730
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5412 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1088 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1992,i,984321748144950978,16475274606096507306,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6192 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://fivemanchool.com/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: POST /report/v4?s=aHA6hHFrch6Iy6MSaAqGaddYeU3nwTjFS3qN0ge9T70aFRB02C1GCuzUMeyapbr2PdDGKc1XJTKmj0qIXtrM%2BPwx7WJSXJYmtIJB%2BcQzHV9lyaJx13%2BoHEw1nrQfWrFPPwia HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 387Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Apr 2024 15:13:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: ExpressAccess-Control-Allow-Origin: *Content-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aHA6hHFrch6Iy6MSaAqGaddYeU3nwTjFS3qN0ge9T70aFRB02C1GCuzUMeyapbr2PdDGKc1XJTKmj0qIXtrM%2BPwx7WJSXJYmtIJB%2BcQzHV9lyaJx13%2BoHEw1nrQfWrFPPwia"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 879f478589f47bb7-ATLalt-svc: h3=":443"; ma=86400

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@17/8@8/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1992,i,984321748144950978,16475274606096507306,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://fivemanchool.com/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1992,i,984321748144950978,16475274606096507306,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://fivemanchool.com/	0%	Avira URL Cloud	safe
http://fivemanchool.com/	4%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
a.nel.cloudflare.com	35.190.80.1	true	false	high
fivemanchool.com	172.67.199.216	true	false	unknown
www.google.com	142.250.105.104	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://a.nel.cloudflare.com/report/v4?s=aHA6hHFrch6Iy6MSaAqGaddYeU3nwTjFS3qN0ge9T70aFRB02C1GCuzUMeyapbr2PdDGKc1XJTKmj0qIXtrM%2BPwx7WJSXJYmtIJB%2BcQzHV9lyaJx13%2BoHEw1nrQfWrFPPwia	false		high
https://fivemanchool.com/	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.199.216	fivemanchool.com	United States	13335	CLOUDFLARENETUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
142.250.105.104	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431730
Start date and time:	2024-04-25 17:12:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://fivemanchool.com/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@17/8@8/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.105.94, 74.125.136.113, 74.125.136.138, 74.125.136.139, 74.125.136.102, 74.125.136.100, 74.125.136.101, 142.251.15.84, 34.104.35.123, 20.12.23.50, 23.40.205.58, 192.229.211.108, 199.232.214.172, 52.165.164.15, 13.95.31.18, 23.40.205.9, 23.40.205.73, 23.40.205.16, 23.40.205.83, 23.40.205.75, 23.40.205.65, 23.40.205.57, 23.40.205.11
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, update.googleapis.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 25 14:13:49 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9810091451328833
Encrypted:	false
SSDEEP:	48:8XYdKT2mcHFcidAKZdA19ehwiZUklqehHy+3:8BfFAy
MD5:	857E0BA5951CED042C9801875B5BE369
SHA1:	44ECB013BCB52677D2E8235DBC944DE341B3CBEB
SHA-256:	1258A827C35BFFAF97FE96BFDC301525176D6CB699D8CE63C41C1E97A2070486
SHA-512:	BEC0CD3550E4D692A8E872CAF91B31261DA2F897D0D8ADC9F0A97D7BE06ACF4E36805B839F04E136EFEFD62E4C4DAA60CE8A3CC59B99E235C41A6406F84AEBFE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....?.,#...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Nb......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 25 14:13:49 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9958205468263905
Encrypted:	false
SSDEEP:	48:8RdKT2mcHFcidAKZdA1weh/iZUkAQkqehwy+2:8Gff9QFy
MD5:	93CBF4BBBB5B31BD27BB3AFC80DFFEE8
SHA1:	C5612B8E10561E69D9CF87ED281C0A20192AD79E
SHA-256:	580412ED84B03FA48D4BCE9B7C8A976F62C2902D047A105F5C83A1F468C044BD
SHA-512:	2C483A10FC0D6F59E3F5CA73BC93260AC8A8958E7FA7C06D6E6D24A70B2F8D21F6C223861B9DE2027D62DD56A3EE34BC584B1F8AD2F4FC129223F2F00708DFB9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......,#...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Nb......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.004856588103312
Encrypted:	false
SSDEEP:	48:8xHdKT2msHFcidAKZdA14tseh7sFiZUkmgqeh7sOy+BX:8xEfvnEy
MD5:	B2B41C8F626A7664033AEE6530856D42
SHA1:	35D29038C49E725F748A8C32AE377B728C4F5504
SHA-256:	F09196A249AE3877F8F33581BCD5AA91C9E2441ED04752DBD3ABEE4827FCB587
SHA-512:	E47BB7F65F3EA845550CAC049091E89068C3C28F35BB12E99F382456B39ED2C18E34EE1E7FD20D192D97D7240D9BFD07C90C43F428146D983F20FD1AE95FEEE4
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Nb......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 25 14:13:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.992745561802172
Encrypted:	false
SSDEEP:	48:8hdKT2mcHFcidAKZdA1vehDiZUkwqehMy+R:8Wfc2y
MD5:	C6FFA9E4D678A3ECC6FACC2936E24ADA
SHA1:	BCB3AC040D7D7D0B6C1E06A830B09DEAC171B40F
SHA-256:	F4D1066AAFF0610D6A176D125CF9F01FE79475E9A5A2D202B72B3D497C9DDD3C
SHA-512:	9B8B7CA87FA000B61ED3C5545C94C1EAB0BB3B45F32FBA2F7DB35839D5452FDB755C5E3E2039E1C42F6A3C58B33BA004D41001EBDA19A0E4400E03053991B954
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....a.,#...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Nb......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 25 14:13:49 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.983603820027197
Encrypted:	false
SSDEEP:	48:87dKT2mcHFcidAKZdA1hehBiZUk1W1qehiy+C:8wfs9Cy
MD5:	CFC6E029D985131BD9E624219428A6E7
SHA1:	A3BB6B90B3BD324FDECCB9D1147021698C468602
SHA-256:	C91158DF997F7C499D35DAF7E9530DC7A633C99BA542C2C4FCF37F87F7CA99B9
SHA-512:	8B2081692D43405D5B660C382158F37EC9306A80FBA00E6AD71CB9AB6E65448AD5FE017A9834F8C2CB2D453E523D83EEB3B3A485616B5A27F459BFCB67004AEF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....q5.,#...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Nb......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 25 14:13:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9951672957350106
Encrypted:	false
SSDEEP:	48:8zdKT2mcHFcidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbEy+yT+:8IfCT/TbxWOvTbEy7T
MD5:	2899D11DCFEF152FE2764B44492CE566
SHA1:	5CE73B39E3C129E68C6C1645C92C8829342D448F
SHA-256:	EB585BEDEFE48F13E9F2999D0258D7EF6B54A6A65F3AE49A4C35DDE05E4C9919
SHA-512:	71D74EB1A84EA04E1E853ABE8D9B5E422D65E21DDA086661B0F4A565065272FCFD619654AB8B965C23E2EAD74CAB3C1515E659FC1D63E84E8736FBA9DD9FC422
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....$.,#...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Nb......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	139
Entropy (8bit):	4.717826995152233
Encrypted:	false
SSDEEP:	3:PouV7uJzhquHbtt6vYk2ZRMRJfHKERSAEtvxLrXZiLKY8K09AbBK6c4NGL:hxuJzhqIzyYk+qRU4zEdxXZiqsbBK34A
MD5:	DA7DA7D630292E7A2A7DDA8CA87B3D39
SHA1:	A4CB76424DC44433A2DF01FE8B0BBD836D15E970
SHA-256:	52C1E7A2C36BE28C42455FE1572D7D7918C3180CAD99A2B82DAA2A38A7E7BB23
SHA-512:	9E717F9C6699B280436CA9BE7107BA6301430D4DEF8311B963A266A5B3B91B2719687B04860509B6142FA24D629A3217BD450696559FE6D9DC8C60BCCFD740AD
Malicious:	false
Reputation:	low
URL:	https://fivemanchool.com/
Preview:	<!DOCTYPE html>.<html lang="en">.<head>.<meta charset="utf-8">.<title>Error</title>.</head>.<body>.<pre>Cannot GET /</pre>.</body>.</html>.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 17:13:39.358289957 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:13:39.358293056 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:13:39.451957941 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:13:49.014523983 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:13:49.055480957 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:13:49.055510998 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:13:50.441850901 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 25, 2024 17:13:50.441986084 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:13:50.496324062 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:13:50.496421099 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:13:50.496509075 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:13:50.496798992 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:13:50.496830940 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:13:50.529479027 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:50.529517889 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:50.529594898 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:50.530112982 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:50.530123949 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:50.728002071 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:13:50.728421926 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:13:50.728476048 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:13:50.729480982 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:13:50.729574919 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:13:50.730689049 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:13:50.730763912 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:13:50.761605024 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:50.761904955 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:50.761960030 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:50.763109922 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:50.763206005 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:50.764372110 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:50.764455080 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:50.764615059 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:50.764631987 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:50.782754898 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:13:50.782793045 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:13:50.814132929 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:50.829411030 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:13:51.099225998 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:51.099503040 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:51.099581003 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:51.100402117 CEST	49710	443	192.168.2.5	172.67.199.216
Apr 25, 2024 17:13:51.100420952 CEST	443	49710	172.67.199.216	192.168.2.5
Apr 25, 2024 17:13:51.217706919 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.217742920 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.217827082 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.218066931 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.218075991 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.447568893 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.448016882 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.448034048 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.449120045 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.449209929 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.450352907 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.450545073 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.450551033 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.451689959 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.498606920 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.498616934 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.545564890 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.694098949 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.694175005 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.694231987 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.694390059 CEST	49713	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.694407940 CEST	443	49713	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.694948912 CEST	49714	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.694986105 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.695058107 CEST	49714	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.695274115 CEST	49714	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.695286989 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.919888973 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.920236111 CEST	49714	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.920258045 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.920622110 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.922756910 CEST	49714	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.922826052 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:51.922947884 CEST	49714	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:51.964117050 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:52.167332888 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:52.167438984 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:52.167521000 CEST	49714	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:52.168709040 CEST	49714	443	192.168.2.5	35.190.80.1
Apr 25, 2024 17:13:52.168728113 CEST	443	49714	35.190.80.1	192.168.2.5
Apr 25, 2024 17:13:53.465142012 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.465181112 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:53.465305090 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.468379974 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.468399048 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:53.698041916 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:53.698127031 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.704169035 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.704183102 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:53.704457998 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:53.748724937 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.836076021 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.880115032 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:53.949038029 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:53.949170113 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:53.949229002 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.949433088 CEST	49715	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:53.949450016 CEST	443	49715	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.012902021 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.012931108 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.013030052 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.013474941 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.013501883 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.237711906 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.237859964 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.240418911 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.240425110 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.240703106 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.242749929 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.284159899 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.456536055 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.456619024 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.456702948 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.458820105 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.458842039 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:13:54.458892107 CEST	49716	443	192.168.2.5	23.220.189.216
Apr 25, 2024 17:13:54.458899021 CEST	443	49716	23.220.189.216	192.168.2.5
Apr 25, 2024 17:14:00.660152912 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:00.660496950 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:00.660948038 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:00.660978079 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:00.661051989 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:00.664401054 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:00.664417028 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:00.725054979 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:00.725122929 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:00.725312948 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:14:00.817814112 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:00.818063974 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:00.989516020 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:00.989720106 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:01.007427931 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:01.007456064 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:01.008578062 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:01.008656979 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:01.009201050 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:01.009248018 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:01.009483099 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:01.009489059 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:01.094288111 CEST	49709	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:14:01.094326973 CEST	443	49709	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:01.344192982 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:01.344280958 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:01.344568014 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:01.344624996 CEST	443	49720	23.1.237.91	192.168.2.5
Apr 25, 2024 17:14:01.344683886 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:01.344683886 CEST	49720	443	192.168.2.5	23.1.237.91
Apr 25, 2024 17:14:50.438889980 CEST	49727	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:14:50.438925028 CEST	443	49727	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:50.438986063 CEST	49727	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:14:50.439687014 CEST	49727	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:14:50.439702034 CEST	443	49727	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:50.664304018 CEST	443	49727	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:50.664644957 CEST	49727	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:14:50.664659023 CEST	443	49727	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:50.665030003 CEST	443	49727	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:50.665447950 CEST	49727	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:14:50.665524960 CEST	443	49727	142.250.105.104	192.168.2.5
Apr 25, 2024 17:14:50.717763901 CEST	49727	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:15:00.670389891 CEST	443	49727	142.250.105.104	192.168.2.5
Apr 25, 2024 17:15:00.670459986 CEST	443	49727	142.250.105.104	192.168.2.5
Apr 25, 2024 17:15:00.670523882 CEST	49727	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:15:01.094959974 CEST	49727	443	192.168.2.5	142.250.105.104
Apr 25, 2024 17:15:01.094995022 CEST	443	49727	142.250.105.104	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 17:13:48.804327011 CEST	53	50087	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:48.897367001 CEST	53	58438	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:49.516375065 CEST	53	52455	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:50.241878033 CEST	49230	53	192.168.2.5	1.1.1.1
Apr 25, 2024 17:13:50.245311975 CEST	54540	53	192.168.2.5	1.1.1.1
Apr 25, 2024 17:13:50.375240088 CEST	53	54540	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:50.380261898 CEST	55873	53	192.168.2.5	1.1.1.1
Apr 25, 2024 17:13:50.380378962 CEST	60722	53	192.168.2.5	1.1.1.1
Apr 25, 2024 17:13:50.382352114 CEST	55571	53	192.168.2.5	1.1.1.1
Apr 25, 2024 17:13:50.382496119 CEST	59026	53	192.168.2.5	1.1.1.1
Apr 25, 2024 17:13:50.386151075 CEST	53	49230	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:50.490456104 CEST	53	55873	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:50.492163897 CEST	53	60722	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:50.514141083 CEST	53	59026	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:50.528901100 CEST	53	55571	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:51.106041908 CEST	63324	53	192.168.2.5	1.1.1.1
Apr 25, 2024 17:13:51.106497049 CEST	63634	53	192.168.2.5	1.1.1.1
Apr 25, 2024 17:13:51.216569901 CEST	53	63634	1.1.1.1	192.168.2.5
Apr 25, 2024 17:13:51.217138052 CEST	53	63324	1.1.1.1	192.168.2.5
Apr 25, 2024 17:14:06.473397970 CEST	53	52004	1.1.1.1	192.168.2.5
Apr 25, 2024 17:14:25.476176977 CEST	53	62723	1.1.1.1	192.168.2.5
Apr 25, 2024 17:14:48.323272943 CEST	53	57523	1.1.1.1	192.168.2.5
Apr 25, 2024 17:14:48.329730034 CEST	53	57340	1.1.1.1	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 25, 2024 17:13:50.386219025 CEST	192.168.2.5	1.1.1.1	c207	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 17:13:50.241878033 CEST	192.168.2.5	1.1.1.1	0x36eb	Standard query (0)	fivemanchool.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.245311975 CEST	192.168.2.5	1.1.1.1	0x3faf	Standard query (0)	fivemanchool.com	65	IN (0x0001)	false
Apr 25, 2024 17:13:50.380261898 CEST	192.168.2.5	1.1.1.1	0x9b2d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.380378962 CEST	192.168.2.5	1.1.1.1	0xcaee	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 25, 2024 17:13:50.382352114 CEST	192.168.2.5	1.1.1.1	0xdbe	Standard query (0)	fivemanchool.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.382496119 CEST	192.168.2.5	1.1.1.1	0x751d	Standard query (0)	fivemanchool.com	65	IN (0x0001)	false
Apr 25, 2024 17:13:51.106041908 CEST	192.168.2.5	1.1.1.1	0xb797	Standard query (0)	a.nel.cloudflare.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:51.106497049 CEST	192.168.2.5	1.1.1.1	0xb517	Standard query (0)	a.nel.cloudflare.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 17:13:50.375240088 CEST	1.1.1.1	192.168.2.5	0x3faf	No error (0)	fivemanchool.com			65	IN (0x0001)	false
Apr 25, 2024 17:13:50.386151075 CEST	1.1.1.1	192.168.2.5	0x36eb	No error (0)	fivemanchool.com		172.67.199.216	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.386151075 CEST	1.1.1.1	192.168.2.5	0x36eb	No error (0)	fivemanchool.com		104.21.90.102	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.490456104 CEST	1.1.1.1	192.168.2.5	0x9b2d	No error (0)	www.google.com		142.250.105.104	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.490456104 CEST	1.1.1.1	192.168.2.5	0x9b2d	No error (0)	www.google.com		142.250.105.103	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.490456104 CEST	1.1.1.1	192.168.2.5	0x9b2d	No error (0)	www.google.com		142.250.105.147	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.490456104 CEST	1.1.1.1	192.168.2.5	0x9b2d	No error (0)	www.google.com		142.250.105.99	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.490456104 CEST	1.1.1.1	192.168.2.5	0x9b2d	No error (0)	www.google.com		142.250.105.106	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.490456104 CEST	1.1.1.1	192.168.2.5	0x9b2d	No error (0)	www.google.com		142.250.105.105	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.492163897 CEST	1.1.1.1	192.168.2.5	0xcaee	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 25, 2024 17:13:50.514141083 CEST	1.1.1.1	192.168.2.5	0x751d	No error (0)	fivemanchool.com			65	IN (0x0001)	false
Apr 25, 2024 17:13:50.528901100 CEST	1.1.1.1	192.168.2.5	0xdbe	No error (0)	fivemanchool.com		172.67.199.216	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:50.528901100 CEST	1.1.1.1	192.168.2.5	0xdbe	No error (0)	fivemanchool.com		104.21.90.102	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:13:51.217138052 CEST	1.1.1.1	192.168.2.5	0xb797	No error (0)	a.nel.cloudflare.com		35.190.80.1	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:14:00.381124020 CEST	1.1.1.1	192.168.2.5	0x933f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 17:14:00.381124020 CEST	1.1.1.1	192.168.2.5	0x933f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:14:00.666209936 CEST	1.1.1.1	192.168.2.5	0xa59d	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:14:00.666209936 CEST	1.1.1.1	192.168.2.5	0xa59d	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:14:13.798110962 CEST	1.1.1.1	192.168.2.5	0x4a77	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:14:13.798110962 CEST	1.1.1.1	192.168.2.5	0x4a77	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:14:40.564454079 CEST	1.1.1.1	192.168.2.5	0xbd0a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:14:40.564454079 CEST	1.1.1.1	192.168.2.5	0xbd0a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:15:01.080327988 CEST	1.1.1.1	192.168.2.5	0x6b3c	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 17:15:01.080327988 CEST	1.1.1.1	192.168.2.5	0x6b3c	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fivemanchool.com

a.nel.cloudflare.com

fs.microsoft.com

https:

www.bing.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	172.67.199.216	443	1088	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 15:13:50 UTC	659	OUT	GET / HTTP/1.1 Host: fivemanchool.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-25 15:13:51 UTC	712	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Apr 2024 15:13:51 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Express Access-Control-Allow-Origin: * Content-Security-Policy: default-src 'none' X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aHA6hHFrch6Iy6MSaAqGaddYeU3nwTjFS3qN0ge9T70aFRB02C1GCuzUMeyapbr2PdDGKc1XJTKmj0qIXtrM%2BPwx7WJSXJYmtIJB%2BcQzHV9lyaJx13%2BoHEw1nrQfWrFPPwia"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 879f478589f47bb7-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 15:13:51 UTC	145	IN	Data Raw: 38 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 47 45 54 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 8b<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot GET /</pre></body></html>
2024-04-25 15:13:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	35.190.80.1	443	1088	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 15:13:51 UTC	535	OUT	OPTIONS /report/v4?s=aHA6hHFrch6Iy6MSaAqGaddYeU3nwTjFS3qN0ge9T70aFRB02C1GCuzUMeyapbr2PdDGKc1XJTKmj0qIXtrM%2BPwx7WJSXJYmtIJB%2BcQzHV9lyaJx13%2BoHEw1nrQfWrFPPwia HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://fivemanchool.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-25 15:13:51 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-type, content-length date: Thu, 25 Apr 2024 15:13:51 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	35.190.80.1	443	1088	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 15:13:51 UTC	476	OUT	POST /report/v4?s=aHA6hHFrch6Iy6MSaAqGaddYeU3nwTjFS3qN0ge9T70aFRB02C1GCuzUMeyapbr2PdDGKc1XJTKmj0qIXtrM%2BPwx7WJSXJYmtIJB%2BcQzHV9lyaJx13%2BoHEw1nrQfWrFPPwia HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 387 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-25 15:13:51 UTC	387	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 35 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 37 31 37 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 37 32 2e 36 37 2e 31 39 39 2e 32 31 36 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 34 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 69 76 65 6d 61 6e 63 68 6f 6f 6c 2e 63 6f Data Ascii: [{"age":5,"body":{"elapsed_time":717,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"172.67.199.216","status_code":404,"type":"http.error"},"type":"network-error","url":"https://fivemanchool.co
2024-04-25 15:13:52 UTC	168	IN	HTTP/1.1 200 OK Content-Length: 0 date: Thu, 25 Apr 2024 15:13:51 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	23.220.189.216	443

Timestamp	Bytes transferred	Direction	Data
2024-04-25 15:13:53 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-25 15:13:53 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0712) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=143345 Date: Thu, 25 Apr 2024 15:13:53 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49716	23.220.189.216	443

Timestamp	Bytes transferred	Direction	Data
2024-04-25 15:13:54 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-25 15:13:54 UTC	521	IN	HTTP/1.1 206 Partial Content Accept-Ranges: bytes ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/074E) X-CID: 11 Cache-Control: public, max-age=143343 Date: Thu, 25 Apr 2024 15:13:54 GMT Content-Range: bytes 0-54/55 Content-Length: 55 Connection: close X-CID: 2
2024-04-25 15:13:54 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.5	49720	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-25 15:14:01 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714058008757&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-04-25 15:14:01 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-04-25 15:14:01 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-04-25 15:14:01 UTC	479	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: A35DE7C1FBA34B5BA0D10BF3D6DB4A74 Ref B: LAX311000109023 Ref C: 2024-04-25T15:14:01Z Date: Thu, 25 Apr 2024 15:14:01 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1714058041.b97910e

Target ID:	0
Start time:	17:13:40
Start date:	25/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	17:13:44
Start date:	25/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1992,i,984321748144950978,16475274606096507306,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	17:13:48
Start date:	25/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://fivemanchool.com/"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: fivemanchool.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: fivemanchool.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://fivemanchool.com/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 59

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5412, Parent PID: 5772

General

Chronological Activities

Analysis Process: chrome.exePID: 1088, Parent PID: 5412

General

Chronological Activities

Analysis Process: chrome.exePID: 6192, Parent PID: 5772

Windows Analysis Report
http://fivemanchool.com/