Edit tour

Windows Analysis Report
16868478965.zip

Overview

General Information

Sample name:	16868478965.zip
Analysis ID:	1432202
MD5:	733214131aefd5b444d67645aabea31d
SHA1:	dde61227cee755e7acab912185c08e0b976088ca
SHA256:	140cfbf97f4529fc0aa9c0552313d6aa3cb73ff8f700974592832c2af70794d1
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Classification

Analysis Advice

Sample searches for specific file, try point organization specific fake files to the analysis machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64_ra

rundll32.exe (PID: 6168 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 6324 cmdline: "C:\Windows\System32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 4992 cmdline: Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 5388 cmdline: Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 2212 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)

notepad.exe (PID: 828 cmdline: "C:\Windows\System32\Notepad.exe" C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf MD5: 27F71B12CB585541885A31BE22F61C83)

chrome.exe (PID: 6636 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1916 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1952,i,10935312458211857013,12197516651097853539,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

wscript.exe (PID: 5336 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 2712 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Sigma Signatures

System Summary

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf" , ProcessId: 2212, ProcessName: wscript.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49710 version: TLS 1.2

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zpZwU4wWXC12lhm&MD=xbs1fPkx HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zpZwU4wWXC12lhm&MD=xbs1fPkx HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLWJr7EGIjBgCFAM1f9f2JVtFcAl68Nik8-HM-sUxqyeXhNXBTmuC3DEYTca9cEJh0vEbFNX0HcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=Y-JAGje8DE_KOIz0txPQRLijdbeV1Zo6mJprYTLJrmy3ciS9Vfe7zTvv_3NaEwTShhzLRTn6zVhDGRw2Y9maTKuwoClBlN0VhT9EvCWdgumbZDKrYVNd7B6sAMP8de2C-fu5cXcdJ3F51UXF5AYzEK9zO7STMgYoy1G2ZVfPBGE
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLWJr7EGIjCeAn0Wv0LSnacnC4V1dKrL7UjG__72MMSxdm2DsaR22sgw8W1aJz3BtBEVmIrVrLEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=Y-JAGje8DE_KOIz0txPQRLijdbeV1Zo6mJprYTLJrmy3ciS9Vfe7zTvv_3NaEwTShhzLRTn6zVhDGRw2Y9maTKuwoClBlN0VhT9EvCWdgumbZDKrYVNd7B6sAMP8de2C-fu5cXcdJ3F51UXF5AYzEK9zO7STMgYoy1G2ZVfPBGE

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49710 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: classification engine

Classification label: sus24.winZIP@25/8@2/3

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf"
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\Notepad.exe" C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1952,i,10935312458211857013,12197516651097853539,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1952,i,10935312458211857013,12197516651097853539,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Jump to behavior

Source: Slides.lnk.22.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.22.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.22.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.22.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.22.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.22.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: wscript.exe, 00000012.00000003.1863217945.0000024A02C9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000012.00000003.1863217945.0000024A02C9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\NTFS
Source: wscript.exe, 00000012.00000002.1880057752.0000024A02CC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b			Jump to behavior

Source: C:\Windows\System32\notepad.exe

Queries volume information: C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Rundll32	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.217.164	true	false		high

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLWJr7EGIjBgCFAM1f9f2JVtFcAl68Nik8-HM-sUxqyeXhNXBTmuC3DEYTca9cEJh0vEbFNX0HcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLWJr7EGIjCeAn0Wv0LSnacnC4V1dKrL7UjG__72MMSxdm2DsaR22sgw8W1aJz3BtBEVmIrVrLEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.217.164	www.google.com	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432202
Start date and time:	2024-04-26 17:12:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	16868478965.zip
Detection:	SUS
Classification:	sus24.winZIP@25/8@2/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.178.50.67, 142.250.217.238, 173.194.212.84, 34.104.35.123
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Source	URL
Screenshot	http://

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe	Get hash	malicious	Unknown	Browse
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTM3MzAwLCJtZXNzYWdlX2lkIjoiMGd5MGJnNjBqOTJwcmNuZjhhNHNxYWpwIzZjY2RmYjMyLWJiNzgtNGQwNC1hYWYwLTg3MjdkMTg4MjZlMyIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjczMzAwLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMGhiYXJ0aGxvd0BzZWN1cnVzdGVjaG5vbG9naWVzLmNvbSZwYXRocz1hYm92ZSZsaW5rPUZheF9PdXRsb29rIiwiaW5kaXZpZHVhbF9pZCI6IjQ0NDY4NzI5YzA1N2Q5ZDJjYzNiYjZlOTc3NDg3MzUyIn0.AryFGbNWOut6hGg1x_WBQ4QL5QU_wggDk6q2PUj7rNI	Get hash	malicious	Captcha Phish	Browse
	https://srmcorp.tecuidoc.com/?PSZlk=ViP	Get hash	malicious	HTMLPhisher	Browse
	gq83mrprwy.exe	Get hash	malicious	Xmrig	Browse
	http://url9212.charteredarena.org/ls/click?upn=u001.kjyKVeM-2Fb1rGOGHOnr1jOBOY3L3JqbNTsl6-2FG2Q28FBbMvScULOdn5hj4fYmOT1gSvNV_eFFQU5nW4TX33oYM-2FvMZ4H4nrQnEbWOt7nYb46lhhradIe8kQ30nH41Yux5-2ByqjXVzNOeRGeH70TSwGBG-2FsCyfS-2BqFuy7r7yA-2BMVhshonhVyPepAGojJAWOStPfHQEXVhS9QapMz6-2FLiLkIDitr77rwl6cV3-2BOVbi0qMHcpubANPDna-2BAJRWKHhsn2J-2BHsm2h-2B1n0PvhIvECyeSGKW-2FdmoYnwMnfXv-2F0VHDQdAF4JyTklFAWOdWvqmq9QaL29M0Lqvm9PdkAaDucmiv1yWhzGJ-2FSlIlic4yMaUzKSM2tXbVKRT-2BcTJHrLGjV82z-2BxMi-2FPWDvS9vQSeDz0xjN0gvzYnMQqfZiJ7fdvgXYvIvcGvziknMmHkQ7sUHmtLIGr6gsv-2FI2qInnZxnaJ1Ow7w3sMmgc-2FLcAEaJe5QnWJ5qez1H3mc7J1f4VLI4PyjCxv7syUPC13rDkwMklRiABfKztYQ3n9LW3FeH4hgMGYJgJovBs-2FKlVUipIzO24iLrfZpg-2FS6-2Fvp-2BRnBXh4Gim5LY7NxdelnIZomgKJ8r1gxfM163jd5ekCcUFZcZJn8BUr-2FrBOq6vvyf5Ut44ln9oAHSsmy2ecvwUHxQ-2Bo0mJA2r9a8FeSV3APNVBZowUa1ZGpOSvbZRLc6uZxrFl3fSWY774fhm-2Fl3qG7s-2BRWj2lGIHB3NEqH1X520Diu5Le7soeKgWoeaLCSrT5v7lt-2B7XayjukGYP4Yz5jSqZD2gXDxl443sgS6brqBQ3LKHfRN7s2NZ-2F6nWblHw6-2BLG-2FTduGCq0lMfhnVz7mFWLyKhJHvoE3C2dN6qv1-2FpHnRcIGopoYVEdZ-2F182c7Ll7OsxlzgTKemGKriHFjxwOhwkIoHVdgcJWnLS8-3D	Get hash	malicious	Unknown	Browse
	https://runrun.it/share/form/0GZMCgHSxRh4PBOM	Get hash	malicious	HTMLPhisher	Browse
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse
	http://421225.tctm.xyz	Get hash	malicious	Unknown	Browse
	InmateExport.exe	Get hash	malicious	Unknown	Browse
	http://www.technology-trend.com	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTM3MzAwLCJtZXNzYWdlX2lkIjoiMGd5MGJnNjBqOTJwcmNuZjhhNHNxYWpwIzZjY2RmYjMyLWJiNzgtNGQwNC1hYWYwLTg3MjdkMTg4MjZlMyIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjczMzAwLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMGhiYXJ0aGxvd0BzZWN1cnVzdGVjaG5vbG9naWVzLmNvbSZwYXRocz1hYm92ZSZsaW5rPUZheF9PdXRsb29rIiwiaW5kaXZpZHVhbF9pZCI6IjQ0NDY4NzI5YzA1N2Q5ZDJjYzNiYjZlOTc3NDg3MzUyIn0.AryFGbNWOut6hGg1x_WBQ4QL5QU_wggDk6q2PUj7rNI	Get hash	malicious	Captcha Phish	Browse	23.204.76.112 20.114.59.183
	https://srmcorp.tecuidoc.com/?PSZlk=ViP	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183
	gq83mrprwy.exe	Get hash	malicious	Xmrig	Browse	23.204.76.112 20.114.59.183
	https://runrun.it/share/form/0GZMCgHSxRh4PBOM	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	http://421225.tctm.xyz	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	InmateExport.exe	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	http://www.technology-trend.com	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	https://gelw.nalverd.com/AvGEoxV/	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:13:57 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.988609153701898
Encrypted:	false
SSDEEP:	48:8HIOdBTpNxH/idAKZdA1FehwiZUklqehGy+3:8Hb//dy
MD5:	735F3434D76FE6EE6F9C9C27B3889D4C
SHA1:	ED57BBCA29EE518EF0369E270558B48585AA199A
SHA-256:	A35C7F613987BDCFFBB787765741CE960D16B1E132D3C7AE4ED269A5CFF5F9B6
SHA-512:	73E52791A5414057DC7A49187BE18E8FB2E49C760261CFCC388C1944B176973B615C17DC8CF24D9CC330C825805D30041919E64032ED48035C1B4B2C84C1274C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,..../=.[...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........z.GE.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:13:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.003785900430692
Encrypted:	false
SSDEEP:	48:8wzOdBTpNxH/idAKZdA1seh/iZUkAQkqehNy+2:8ws/J9QQy
MD5:	EB1749AF5FE9E275E708DF215185C71B
SHA1:	81B2132AADC7EC894FE271579DD073AD5DD860CF
SHA-256:	8ECE53F724FB482C44154B32441FE2BDFC48372723DB9C378918D7B217070295
SHA-512:	4631DF9D035D46D6C4261B1C2B68E3DD2BF510B67093FF1760266D3156424B1AA15D4E22A1EC54F1209B5029224BA52B013ABA95443282411D0FCFA890B92444
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......[...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........z.GE.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.009738397521359
Encrypted:	false
SSDEEP:	48:8XOdBTpNAH/idAKZdA14meh7sFiZUkmgqeh7sHy+BX:8Q/Onxy
MD5:	58169B65982CAA29AADF343A15823ACD
SHA1:	A02600BCA55815B5834A78BB4039A03EB1EBCC14
SHA-256:	0C43EDF1937C3D9E1014EDB6C63746A89D298E2170AA33D48B7CCB6CC93AA511
SHA-512:	BBD6530E98372D2BC2BB82D5C1F6E41C64DEA7D8E11300D0A2AF74B5BFCAD8E3D6A05A8FC528CFBA222B83CC5E5E33B83B2912850A2D65C36746BF73B0F348A8
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........z.GE.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:13:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.005191649215642
Encrypted:	false
SSDEEP:	48:8iOOdBTpNxH/idAKZdA1TehDiZUkwqehJy+R:84/afy
MD5:	1F08ED6416AC4FFBDA9A10967B1AC40E
SHA1:	4F6CD8C9C8AD1C3E7B074740D16DA258BF1ED06E
SHA-256:	B0154F4721E037609969A3D226E6B271CDDBD80FD8E5A01899C46E37FD904479
SHA-512:	9C90E260F51EADFF2EFE97414229BEC37411EFE4352E87F90599432C32CF16295F025BDDADEB6085DF05258532C0CA43A9D042D9A391BBF33A8371B455A711A3
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......[...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........z.GE.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:13:57 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.990299806092194
Encrypted:	false
SSDEEP:	48:8fOdBTpNxH/idAKZdA1dehBiZUk1W1qehLy+C:8Y/69ry
MD5:	06DCDE589C6C20B73EDA1C3D2033B0C3
SHA1:	092B7B10B6B76E3F2308C31DB9362A616865CC38
SHA-256:	DB1FB86EE7BA968D4AA6F6A00AF598E4E2310DCD0A499D66AE9286389400EF59
SHA-512:	D49D08F81F6743920BBF1538A6BF0DD35FB0B1AF4B8BB4C4129206DA35521304BDFBD0D9EA4A15C7EE077998587ACC40A6F79BF738D3277A989285E3D4A95390
Malicious:	false
Preview:	L..................F.@.. ...$+.,....Xx.[...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........z.GE.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:13:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.001944986790993
Encrypted:	false
SSDEEP:	48:8dOdBTpNxH/idAKZdA1duTeehOuTbbiZUk5OjqehOuTbxy+yT+:82/QTfTbxWOvTbxy7T
MD5:	E7A07F25E1F8130F125FCA968CE4DE37
SHA1:	E8C1517D5A86F7B5C07BD44A8FF7879217541592
SHA-256:	419384D01DFDED7FFFBAAD1D12C220EE1194CBA389DA48681991DF7FDEB63DDD
SHA-512:	16C7ACE43C24AD831806E0D2122788C59FBEA0E64E17E5AAE3AE5816FE8D131B7D17E3A27CCA7988FF8D8587B368A1DFC7DDFD9B5C7B68F1DBDD57709FFE176B
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......[...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........z.GE.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 55

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3829)
Category:	downloaded
Size (bytes):	3834
Entropy (8bit):	5.841045534526931
Encrypted:	false
SSDEEP:	96:cliXIN6666VrzTDIKW5JZprSsw8jVT/MuWUy81S9z5ffffQfo:qtN6666VjDY5JZprG8xf+9FX
MD5:	BA39EA8A8139C233DC158792D2265B91
SHA1:	C9C736374E1D172F320413A10D636316D9EC0C74
SHA-256:	F8A499E561142C983594898655624B9862E13FB450C241E3E442D71C5E4EE1CA
SHA-512:	A2946FA625CB412FDBDBBB8733DDAAFA89893F2E85F3466F87BF604F47E0F500076A028E700CAE729D1C109A88F6D3DB2465ED755DBB11E06E933996C347AE53
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["million dollar baby lyrics tommy richman","laguardia airport","packers nfl draft picks","reddit outage","manor lords early access","wordle today answer april 26","cicadas south carolina","new orleans saints draft picks"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMWp2bjZ6eV82EhpNYW5vciBMb3JkcyDigJQgVmlkZW8gZ2FtZTK3EGRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBRUFBUUFNQklnQUNFUUVERVFIL3hBQWFBQUFDQXdFQkFBQUFBQUFBQUFBQUFBQUVCZ01GQndJQi84UUFNUkFBQWdFREF3TURBZ1VEQlFBQUFBQUFBUUlEQkFVUkFCSWhFekZCQmxHQkluRVVNbUdSb1NQUj

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.99928379837969
TrID:	ZIP compressed archive (8000/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	16868478965.zip
File size:	271'505 bytes
MD5:	733214131aefd5b444d67645aabea31d
SHA1:	dde61227cee755e7acab912185c08e0b976088ca
SHA256:	140cfbf97f4529fc0aa9c0552313d6aa3cb73ff8f700974592832c2af70794d1
SHA512:	ba09207060cfe24a2870e5137fb1d6d16b3cccee520426bcca9b339736e72911b65572dba410eda5020bd9177f82a47bb3394af4f98a95727fb22dde6bad4e87
SSDEEP:	6144:oAjgKuvKtzhJKwGOuKdnKLwXCp9SJpfyvg9u6n2+zkQS5le:o+TddnK8I9mpTtn2+zkQx
TLSH:	964422569C2F44EDA3A600B3F731D3137056E7E7C3E7DAA0AA75A701268A28137503A6
File Content Preview:	PK........................@...e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b...7o6M9...c.V.jW..rrS.>....F}..K<?..9I...A.;...........].._fx...RYy.`1.#.z....E4..M..z...xP...iI&..b.9Z...M.$..$.K.;...=...K..z...o..@.CE ..W...."msk....+...<..

File Icon


Icon Hash:	1c1c1e4e4ececedc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 17:12:33.738728046 CEST	49673	443	192.168.2.16	204.79.197.203
Apr 26, 2024 17:12:34.045583963 CEST	49673	443	192.168.2.16	204.79.197.203
Apr 26, 2024 17:12:34.655579090 CEST	49673	443	192.168.2.16	204.79.197.203
Apr 26, 2024 17:12:35.856601954 CEST	49673	443	192.168.2.16	204.79.197.203
Apr 26, 2024 17:12:35.907141924 CEST	49689	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:12:38.268627882 CEST	49673	443	192.168.2.16	204.79.197.203
Apr 26, 2024 17:12:40.236238003 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.236289024 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.236396074 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.248786926 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.248811007 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.517755032 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.517889977 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.524360895 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.524389029 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.524701118 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.571597099 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.616662025 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.664118052 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.759985924 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.760159016 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.760250092 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.760299921 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.760322094 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.760369062 CEST	49707	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.760375977 CEST	443	49707	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.806817055 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.806868076 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:40.806968927 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.807223082 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:40.807233095 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.063077927 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.063170910 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:41.064466000 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:41.064476013 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.064776897 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.065924883 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:41.112122059 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.326483011 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.326561928 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.326622009 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:41.327359915 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:41.327379942 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.327393055 CEST	49708	443	192.168.2.16	23.204.76.112
Apr 26, 2024 17:12:41.327399015 CEST	443	49708	23.204.76.112	192.168.2.16
Apr 26, 2024 17:12:41.898782015 CEST	49678	443	192.168.2.16	20.189.173.10
Apr 26, 2024 17:12:42.201606989 CEST	49678	443	192.168.2.16	20.189.173.10
Apr 26, 2024 17:12:42.805660963 CEST	49678	443	192.168.2.16	20.189.173.10
Apr 26, 2024 17:12:42.991274118 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:42.991329908 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:42.991601944 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:42.992999077 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:42.993024111 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:43.076606989 CEST	49673	443	192.168.2.16	204.79.197.203
Apr 26, 2024 17:12:43.620989084 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:43.621094942 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:43.624721050 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:43.624731064 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:43.625217915 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:43.666588068 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:43.714029074 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:43.760126114 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.016629934 CEST	49678	443	192.168.2.16	20.189.173.10
Apr 26, 2024 17:12:44.217573881 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217617035 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217624903 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217634916 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217679024 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217700958 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:44.217715979 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217727900 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217736959 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:44.217765093 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:44.217771053 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217824936 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.217828989 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:44.217871904 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:44.217871904 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:44.231034040 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:44.231057882 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:44.231125116 CEST	49709	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:12:44.231132030 CEST	443	49709	20.114.59.183	192.168.2.16
Apr 26, 2024 17:12:46.363758087 CEST	49680	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:12:46.426603079 CEST	49678	443	192.168.2.16	20.189.173.10
Apr 26, 2024 17:12:46.666606903 CEST	49680	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:12:47.274616957 CEST	49680	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:12:48.487730980 CEST	49680	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:12:50.897631884 CEST	49680	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:12:51.233628988 CEST	49678	443	192.168.2.16	20.189.173.10
Apr 26, 2024 17:12:52.685647964 CEST	49673	443	192.168.2.16	204.79.197.203
Apr 26, 2024 17:12:55.712678909 CEST	49680	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:13:00.840615988 CEST	49678	443	192.168.2.16	20.189.173.10
Apr 26, 2024 17:13:05.327627897 CEST	49680	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:13:19.704930067 CEST	49698	80	192.168.2.16	199.232.210.172
Apr 26, 2024 17:13:19.705084085 CEST	49699	80	192.168.2.16	199.232.210.172
Apr 26, 2024 17:13:19.841615915 CEST	80	49698	199.232.210.172	192.168.2.16
Apr 26, 2024 17:13:19.841650963 CEST	80	49698	199.232.210.172	192.168.2.16
Apr 26, 2024 17:13:19.841778040 CEST	49698	80	192.168.2.16	199.232.210.172
Apr 26, 2024 17:13:19.842576027 CEST	80	49699	199.232.210.172	192.168.2.16
Apr 26, 2024 17:13:19.842622995 CEST	80	49699	199.232.210.172	192.168.2.16
Apr 26, 2024 17:13:19.842703104 CEST	49699	80	192.168.2.16	199.232.210.172
Apr 26, 2024 17:13:21.650053024 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:21.650108099 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:21.650213003 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:21.650587082 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:21.650605917 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.272778034 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.273046017 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:22.278554916 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:22.278584003 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.278865099 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.285717964 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:22.328116894 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.892273903 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.892301083 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.892317057 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.892404079 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:22.892433882 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.892452002 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.892503977 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:22.895178080 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:22.895199060 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:22.895209074 CEST	49710	443	192.168.2.16	20.114.59.183
Apr 26, 2024 17:13:22.895214081 CEST	443	49710	20.114.59.183	192.168.2.16
Apr 26, 2024 17:13:35.993740082 CEST	49688	443	192.168.2.16	13.107.21.200
Apr 26, 2024 17:13:56.211118937 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.211149931 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.211213112 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.211535931 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.211548090 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.580260992 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.580293894 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.580463886 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.581151009 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.581171036 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.607193947 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.607536077 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.607557058 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.608491898 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.608633041 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.609702110 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.609751940 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.610225916 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.610255957 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.610341072 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.610340118 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.610374928 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.610459089 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.610465050 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.610487938 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.610655069 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.610668898 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.610898018 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.610910892 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.658754110 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.937241077 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.937526941 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.937549114 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.937850952 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.938174963 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.938241005 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.939062119 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.966967106 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.967437983 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.967462063 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.968360901 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.968436956 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.968836069 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.968836069 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:56.968894958 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:56.984117031 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.006810904 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.007102966 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.007142067 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.009977102 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.009996891 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.011055946 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.011199951 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.011548042 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.011632919 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.013096094 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.013144970 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.013174057 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.013199091 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.013206005 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.013231993 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.013484001 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.024346113 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.024415016 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.024420977 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.024431944 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.024507046 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.024507046 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.024514914 CEST	443	49714	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.024543047 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.024621964 CEST	49714	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.057758093 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.057759047 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.057781935 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.102750063 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.635229111 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.635292053 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.635623932 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.635819912 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.635864019 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.638256073 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.638315916 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.638329983 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.638772964 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.638822079 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.683900118 CEST	49716	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.683923960 CEST	443	49716	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.744103909 CEST	49715	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:57.744121075 CEST	443	49715	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:57.967542887 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.012150049 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.028589964 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.028637886 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.028708935 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.028989077 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.029009104 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.169138908 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.169255018 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.169400930 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.169434071 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.169611931 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.169702053 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.170936108 CEST	49717	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.170970917 CEST	443	49717	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.355492115 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.359689951 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.359709978 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.360022068 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.363795042 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.363862038 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.374306917 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.420109987 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.685574055 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.685616970 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.685694933 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.685700893 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.685726881 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.685739040 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:13:58.685797930 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.685797930 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.686355114 CEST	49718	443	192.168.2.16	142.250.217.164
Apr 26, 2024 17:13:58.686369896 CEST	443	49718	142.250.217.164	192.168.2.16
Apr 26, 2024 17:14:11.249994993 CEST	49701	80	192.168.2.16	192.229.211.108
Apr 26, 2024 17:14:11.374051094 CEST	80	49701	192.229.211.108	192.168.2.16
Apr 26, 2024 17:14:11.374116898 CEST	49701	80	192.168.2.16	192.229.211.108

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 17:13:04.534104109 CEST	137	137	192.168.2.16	192.168.2.255
Apr 26, 2024 17:13:05.289792061 CEST	137	137	192.168.2.16	192.168.2.255
Apr 26, 2024 17:13:06.054727077 CEST	137	137	192.168.2.16	192.168.2.255
Apr 26, 2024 17:13:38.063894987 CEST	138	138	192.168.2.16	192.168.2.255
Apr 26, 2024 17:13:56.073750973 CEST	53	61012	1.1.1.1	192.168.2.16
Apr 26, 2024 17:13:56.076273918 CEST	53991	53	192.168.2.16	1.1.1.1
Apr 26, 2024 17:13:56.076528072 CEST	62528	53	192.168.2.16	1.1.1.1
Apr 26, 2024 17:13:56.105897903 CEST	53	64896	1.1.1.1	192.168.2.16
Apr 26, 2024 17:13:56.201955080 CEST	53	62528	1.1.1.1	192.168.2.16
Apr 26, 2024 17:13:56.203098059 CEST	53	53991	1.1.1.1	192.168.2.16
Apr 26, 2024 17:13:56.957838058 CEST	53	59964	1.1.1.1	192.168.2.16
Apr 26, 2024 17:14:14.044898033 CEST	53	53360	1.1.1.1	192.168.2.16
Apr 26, 2024 17:14:33.142807961 CEST	53	58576	1.1.1.1	192.168.2.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 17:13:56.076273918 CEST	192.168.2.16	1.1.1.1	0x79b9	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:13:56.076528072 CEST	192.168.2.16	1.1.1.1	0x80f9	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 17:13:56.201955080 CEST	1.1.1.1	192.168.2.16	0x80f9	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 26, 2024 17:13:56.203098059 CEST	1.1.1.1	192.168.2.16	0x79b9	No error (0)	www.google.com		142.250.217.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

www.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49707	23.204.76.112	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:40 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-26 15:12:40 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0758) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=57065 Date: Fri, 26 Apr 2024 15:12:40 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49708	23.204.76.112	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:41 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-26 15:12:41 UTC	530	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0DZ+oYgAAAABSxwJpMgMuSLkfS640ajfFQVRBRURHRTEyMTkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=57058 Date: Fri, 26 Apr 2024 15:12:41 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-26 15:12:41 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49709	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:43 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zpZwU4wWXC12lhm&MD=xbs1fPkx HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 15:12:44 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 12ae2a79-477a-488c-9524-e11ba4202d39 MS-RequestId: 7cfc02f4-ced7-42c6-bed8-d9fca264177b MS-CV: 14F+Ka5PWUiTiDUr.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 15:12:43 GMT Connection: close Content-Length: 24490
2024-04-26 15:12:44 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-26 15:12:44 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.16	49710	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:13:22 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zpZwU4wWXC12lhm&MD=xbs1fPkx HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 15:13:22 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 2269fcd3-37fb-452f-8968-40243dfe419b MS-RequestId: 817ebc03-3068-4ee5-b1ef-031d61a6ff71 MS-CV: eXX3Pw89UU2C4zfh.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 15:13:21 GMT Connection: close Content-Length: 25457
2024-04-26 15:13:22 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-26 15:13:22 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.16	49714	142.250.217.164	443	1916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:13:56 UTC	627	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 15:13:57 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:13:56 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-hGrobmLsmOWEfYKXYtprYw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 15:13:57 UTC	1703	IN	Data Raw: 65 66 61 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6d 69 6c 6c 69 6f 6e 20 64 6f 6c 6c 61 72 20 62 61 62 79 20 6c 79 72 69 63 73 20 74 6f 6d 6d 79 20 72 69 63 68 6d 61 6e 22 2c 22 6c 61 67 75 61 72 64 69 61 20 61 69 72 70 6f 72 74 22 2c 22 70 61 63 6b 65 72 73 20 6e 66 6c 20 64 72 61 66 74 20 70 69 63 6b 73 22 2c 22 72 65 64 64 69 74 20 6f 75 74 61 67 65 22 2c 22 6d 61 6e 6f 72 20 6c 6f 72 64 73 20 65 61 72 6c 79 20 61 63 63 65 73 73 22 2c 22 77 6f 72 64 6c 65 20 74 6f 64 61 79 20 61 6e 73 77 65 72 20 61 70 72 69 6c 20 32 36 22 2c 22 63 69 63 61 64 61 73 20 73 6f 75 74 68 20 63 61 72 6f 6c 69 6e 61 22 2c 22 6e 65 77 20 6f 72 6c 65 61 6e 73 20 73 61 69 6e 74 73 20 64 72 61 66 74 20 70 69 63 6b 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 Data Ascii: efa)]}'["",["million dollar baby lyrics tommy richman","laguardia airport","packers nfl draft picks","reddit outage","manor lords early access","wordle today answer april 26","cicadas south carolina","new orleans saints draft picks"],["","","","","",""
2024-04-26 15:13:57 UTC	1703	IN	Data Raw: 4d 6d 4e 6b 65 47 74 75 64 44 4e 48 55 47 5a 53 62 47 31 79 53 32 55 31 4d 47 6c 55 65 48 56 47 53 6d 4e 34 4e 31 64 51 53 6c 6c 6c 4d 33 68 36 4f 58 52 61 57 57 78 52 4e 46 52 6b 52 7a 5a 55 53 7a 4a 4e 61 6b 6c 51 57 54 6c 31 5a 57 59 30 4d 46 6c 4b 4e 55 6c 35 61 6d 70 50 4f 55 63 30 61 30 56 50 4d 45 56 75 4d 6b 6f 33 62 6a 51 77 4c 32 59 34 51 54 42 6d 61 6d 6c 48 64 47 31 42 64 6a 4e 72 65 6a 55 33 4e 6a 68 47 53 6d 6f 79 4d 57 30 35 51 6a 5a 73 63 6d 46 43 64 44 42 71 63 33 64 72 4d 6e 67 34 62 6e 4e 43 62 6b 68 69 4e 32 35 71 56 6e 4e 32 63 6b 35 52 65 57 6c 6b 63 47 78 35 59 31 70 43 53 6b 64 6d 53 54 46 6d 55 47 31 35 4d 54 64 50 5a 58 4e 79 4f 55 52 75 4b 30 64 34 4e 55 64 6e 63 6a 6c 59 63 46 70 69 53 46 63 7a 51 31 56 79 64 48 41 30 61 54 5a Data Ascii: MmNkeGtudDNHUGZSbG1yS2U1MGlUeHVGSmN4N1dQSlllM3h6OXRaWWxRNFRkRzZUSzJNaklQWTl1ZWY0MFlKNUl5ampPOUc0a0VPMEVuMko3bjQwL2Y4QTBmamlHdG1BdjNrejU3NjhGSmoyMW05QjZscmFCdDBqc3drMng4bnNCbkhiN25qVnN2ck5ReWlkcGx5Y1pCSkdmSTFmUG15MTdPZXNyOURuK0d4NUdncjlYcFpiSFczQ1VydHA0aTZ
2024-04-26 15:13:57 UTC	435	IN	Data Raw: 30 56 6c 41 78 65 6d 4d 77 65 6b 4e 79 54 45 30 32 64 58 46 71 52 47 4e 36 57 56 42 54 55 33 6c 46 4d 30 31 35 65 54 6c 54 65 55 31 72 64 6c 4e 70 62 46 64 54 52 54 42 7a 65 58 46 73 56 56 4e 46 65 45 39 55 61 54 42 31 51 6d 64 42 56 7a 52 6e 4e 45 39 77 42 41 5c 75 30 30 33 64 5c 75 30 30 33 64 22 2c 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 72 65 6c 65 76 61 6e 63 65 22 3a 5b 31 32 35 37 2c 31 32 35 36 2c 31 32 35 35 2c 31 32 35 34 2c 31 32 35 33 2c 31 32 35 32 2c 31 32 35 31 2c 31 32 35 30 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 73 22 3a 5b 5b 33 2c 31 34 33 2c 33 Data Ascii: 0VlAxemMwekNyTE02dXFqRGN6WVBTU3lFM015eTlTeU1rdlNpbFdTRTBzeXFsVVNFeE9UaTB1QmdBVzRnNE9wBA\u003d\u003d","zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,3
2024-04-26 15:13:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.16	49716	142.250.217.164	443	1916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:13:56 UTC	530	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 15:13:57 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLWJr7EGIjBgCFAM1f9f2JVtFcAl68Nik8-HM-sUxqyeXhNXBTmuC3DEYTca9cEJh0vEbFNX0HcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwItYmvsQYQ8ZCiiwISBGaBmNw Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 15:13:57 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-15; expires=Sun, 26-May-2024 15:13:57 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=BCWnRgUdSRgSA-AhDa63iKg22a1gs4nAl0C7sAEX0uBUK9CPT3IXNKPfDZ_05nFo0HZm_-QiDQQ-XAEwSelL7-vXw7x01AbQa09JQDklr3S-n9WfPdUbIGw_Scm_BzdaaXLfaG2rh5TILoZOe6xmsBvlh_fv5xfF6Jshg2wMqUI; expires=Sat, 26-Oct-2024 15:13:57 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:13:57 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.16	49715	142.250.217.164	443	1916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:13:56 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 15:13:57 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLWJr7EGIjCeAn0Wv0LSnacnC4V1dKrL7UjG__72MMSxdm2DsaR22sgw8W1aJz3BtBEVmIrVrLEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwItYmvsQYQ2LKR_AESBGaBmNw Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 15:13:57 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-15; expires=Sun, 26-May-2024 15:13:57 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=Y-JAGje8DE_KOIz0txPQRLijdbeV1Zo6mJprYTLJrmy3ciS9Vfe7zTvv_3NaEwTShhzLRTn6zVhDGRw2Y9maTKuwoClBlN0VhT9EvCWdgumbZDKrYVNd7B6sAMP8de2C-fu5cXcdJ3F51UXF5AYzEK9zO7STMgYoy1G2ZVfPBGE; expires=Sat, 26-Oct-2024 15:13:57 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:13:57 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.16	49717	142.250.217.164	443	1916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:13:57 UTC	932	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLWJr7EGIjBgCFAM1f9f2JVtFcAl68Nik8-HM-sUxqyeXhNXBTmuC3DEYTca9cEJh0vEbFNX0HcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=Y-JAGje8DE_KOIz0txPQRLijdbeV1Zo6mJprYTLJrmy3ciS9Vfe7zTvv_3NaEwTShhzLRTn6zVhDGRw2Y9maTKuwoClBlN0VhT9EvCWdgumbZDKrYVNd7B6sAMP8de2C-fu5cXcdJ3F51UXF5AYzEK9zO7STMgYoy1G2ZVfPBGE
2024-04-26 15:13:58 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 15:13:58 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3186 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:13:58 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-26 15:13:58 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 67 51 70 47 36 51 77 4f 47 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="gQpG6QwOG
2024-04-26 15:13:58 UTC	1032	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.16	49718	142.250.217.164	443	1916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:13:58 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLWJr7EGIjCeAn0Wv0LSnacnC4V1dKrL7UjG__72MMSxdm2DsaR22sgw8W1aJz3BtBEVmIrVrLEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=Y-JAGje8DE_KOIz0txPQRLijdbeV1Zo6mJprYTLJrmy3ciS9Vfe7zTvv_3NaEwTShhzLRTn6zVhDGRw2Y9maTKuwoClBlN0VhT9EvCWdgumbZDKrYVNd7B6sAMP8de2C-fu5cXcdJ3F51UXF5AYzEK9zO7STMgYoy1G2ZVfPBGE
2024-04-26 15:13:58 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 15:13:58 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3114 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:13:58 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-26 15:13:58 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 75 2d 76 66 4d 76 63 56 70 44 5f 38 54 7a 48 50 57 64 6a 69 43 73 6a 53 4b 36 6d 78 71 56 6c 4a 62 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="u-vfMvcVpD_8TzHPWdjiCsjSK6mxqVlJb
2024-04-26 15:13:58 UTC	960	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Target ID:	0
Start time:	17:12:30
Start date:	26/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff649610000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:13:04
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe"
Imagebase:	0x7ff6fd780000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	17:13:04
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:13:12
Start date:	26/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b
Imagebase:	0x7ff6f6c40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:13:24
Start date:	26/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	Wscript.exe e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b
Imagebase:	0x7ff6f6c40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: wscript.exePID: 2212, Parent PID: 4380

General

Target ID:	18
Start time:	17:13:27
Start date:	26/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf"
Imagebase:	0x7ff6f6c40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	17:13:46
Start date:	26/04/2024
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\Notepad.exe" C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf
Imagebase:	0x7ff7cda80000
File size:	201'216 bytes
MD5 hash:	27F71B12CB585541885A31BE22F61C83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:13:53
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	17:13:54
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1952,i,10935312458211857013,12197516651097853539,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	17:14:00
Start date:	26/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf"
Imagebase:	0x7ff6f6c40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Analysis Process: wscript.exePID: 2712, Parent PID: 4380

General

Target ID:	26
Start time:	17:14:02
Start date:	26/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\e118042c448de6933f9e39157a96f6160d720504e1a0ca7c1f1ad2a59b1fdb7b.wsf"
Imagebase:	0x7ff6f6c40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 16868478965.zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 55

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
16868478965.zip