Edit tour

Windows Analysis Report
https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV

Overview

General Information

Sample URL:	https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV
Analysis ID:	626101
Infos:

Detection

HTMLPhisher

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Misleading page title found

Yara detected HtmlPhish10

Invalid 'forgot password' link found

None HTTPS page querying sensitive user data (password, username or email)

No HTML title found

HTML body contains low number of good links

Invalid T&C link found

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6136 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 3648 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,13766732960856306384,14944723332545166900,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1936 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 6912 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,13766732960856306384,14944723332545166900,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4796 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Downloads\6f9b109d-574d-490d-88c4-a507f995ddcb.tmp	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTML

Source	Rule	Description	Author	Strings
39012.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV HTTP/1.1Host: drive.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/as6j4cm1a3j1cera4enkskui1nh5hivr/1652449800000/04750445292818061454//1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV?e=download HTTP/1.1Host: doc-0g-3c-docs.googleusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v3/smtp.js HTTP/1.1Host: smtpjs.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /axilor/Office365/mails.js HTTP/1.1Host: ybron.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /axilor/Office365/microsoft-.svg HTTP/1.1Host: ybron.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /axilor/Office365/bg.jpg HTTP/1.1Host: ybron.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /axilor/Office365/bg.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: ybron.com
Source: global traffic	HTTP traffic detected: GET /axilor/Office365/microsoft-.svg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: ybron.com

Source: unknown	HTTPS traffic detected: 208.91.199.159:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.91.199.159:443 -> 192.168.2.3:49788 version: TLS 1.2

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,13766732960856306384,14944723332545166900,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1936 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,13766732960856306384,14944723332545166900,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4796 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,13766732960856306384,14944723332545166900,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1936 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,13766732960856306384,14944723332545166900,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4796 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-627EE0BB-17F8.pma

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Temp\9c19dec6-f190-427d-bd56-509ebeb601f2.tmp

Jump to behavior

Source: classification engine

Classification label: mal56.phis.win@30/122@8/9

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Automated click: Next
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Automated click: Next

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	3 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV	2%	Virustotal		Browse
https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\6136_821389493\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\6136_821389493\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6136_821389493\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\6136_821389493\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6136_821389493\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\6136_821389493\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://dns.google	0%	URL Reputation	safe
https://ybron.com/axilor/Office365/mails.js	0%	Avira URL Cloud	safe
https://ybron.com/axilor/Office365/bg.jpg	0%	Avira URL Cloud	safe
https://ybron.com/axilor/Office365/microsoft-.svg	0%	Avira URL Cloud	safe
https://smtpjs.com/v3/smtp.js	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
smtpjs.com	109.169.71.112	true	false	unknown
accounts.google.com	142.250.186.77	true	false	high
drive.google.com	142.250.185.238	true	false	high
clients.l.google.com	142.250.185.238	true	false	high
ybron.com	208.91.199.159	true	false	unknown
googlehosted.l.googleusercontent.com	142.250.185.193	true	false	high
clients2.google.com	unknown	unknown	false	high
doc-0g-3c-docs.googleusercontent.com	unknown	unknown	false	high
cdn.jsdelivr.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://ybron.com/axilor/Office365/mails.js	false	Avira URL Cloud: safe	unknown
https://ybron.com/axilor/Office365/bg.jpg	false	Avira URL Cloud: safe	unknown
https://ybron.com/axilor/Office365/microsoft-.svg	false	Avira URL Cloud: safe	unknown
file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	true		low
https://smtpjs.com/v3/smtp.js	false	URL Reputation: safe	unknown
https://doc-0g-3c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/as6j4cm1a3j1cera4enkskui1nh5hivr/1652449800000/04750445292818061454/*/1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV?e=download	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dns.google	f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, f0fd4302-9239-4895-b77e-411880172921.tmp.1.dr, c3a9dd86-9eb3-4b0d-bf28-d02da4b50a71.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	craw_window.js.0.dr, craw_background.js.0.dr	false		high
https://www.google.com/intl/en-US/chrome/blank.html	craw_background.js.0.dr	false		high
https://ogs.google.com	f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://cdn.jsdelivr.net/npm/bootstrap	6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	false		high
https://doc-0g-3c-docs.googleusercontent.com	40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://www.google.com/images/cleardot.gif	craw_window.js.0.dr	false		high
https://play.google.com	f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://payments.google.com/payments/v4/js/integrator.js	craw_window.js.0.dr, manifest.json.0.dr	false		high
https://chromium.googlesource.com/a/native_client/pnacl-llvm.git	pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr	false		high
https://cdn.jsdelivr.net/npm/jquery	6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	false		high
https://sandbox.google.com/payments/v4/js/integrator.js	craw_window.js.0.dr, manifest.json.0.dr	false		high
https://www.google.com/images/x2.gif	craw_window.js.0.dr	false		high
https://doc-0g-3c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/as6j4cm1	Invoice 173215.pdf.html_Zone.Identifier.4.dr	false		high
https://accounts.google.com/MergeSession	craw_window.js.0.dr	false		high
http://llvm.org/):	pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.dr	false		high
https://cdn.jsdelivr.net/npm/bootstrap-icons	6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	false		high
https://www.google.com	f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://www.google.com/images/dot2.gif	craw_window.js.0.dr	false		high
https://code.google.com/p/nativeclient/issues/entry%s:	pnacl_public_x86_64_ld_nexe.0.dr	false		high
https://code.google.com/p/nativeclient/issues/entry	pnacl_public_x86_64_ld_nexe.0.dr	false		high
https://accounts.google.com	f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://drive.google.com	40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://clients2.googleusercontent.com	f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://apis.google.com	f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://www.google.com/accounts/OAuthLogin?issueuberauth=1	craw_window.js.0.dr	false		high
https://www.google.com/	manifest.json.0.dr	false		high
https://www-googleapis-staging.sandbox.google.com	craw_window.js.0.dr, craw_background.js.0.dr	false		high
https://chromium.googlesource.com/a/native_client/pnacl-clang.git	pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr	false		high
https://clients2.google.com	f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	false		high
https://clients2.google.com/service/update2/crx	manifest.json0.0.dr, manifest.json.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.169.71.112	smtpjs.com	United Kingdom	20860	IOMART-ASGB	false
142.250.185.238	drive.google.com	United States	15169	GOOGLEUS	false
142.250.185.193	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
208.91.199.159	ybron.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
142.250.186.77	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
192.168.2.4
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626101
Start date and time: 13/05/202215:49:18	2022-05-13 15:49:18 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.phis.win@30/122@8/9
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.5.146, 23.211.6.115, 142.250.184.206, 142.250.185.99, 173.194.160.71, 173.194.160.72, 104.16.85.20, 104.16.87.20, 104.16.88.20, 104.16.86.20, 104.16.89.20, 142.250.186.163, 142.250.185.195, 40.112.88.60, 20.223.24.244
Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, cdn.jsdelivr.net.cdn.cloudflare.net, store-images.s-microsoft.com-c.edgekey.net, clientservices.googleapis.com, arc.msn.com, storeedgefd.xbetservices.akadns.net, e12564.dspb.akamaiedge.net, r3---sn-1gi7znes.gvt1.com, r4---sn-4g5edn6k.gvt1.com, redirector.gvt1.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, r2.sn-1gi7znes.gvt1.com, sls.update.microsoft.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.gstatic.com, cdn.onenote.net, storeedgefd.dsx.mp.microsoft.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, r2---sn-1gi7znes.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	451603
Entropy (8bit):	5.009711072558331
Encrypted:	false
SSDEEP:	12288:ZHfRTyGZ6lup8Cfrvq4JBPKh+FBlESBw4p6:NfOCzvRKhGvwJ
MD5:	A78AD14E77147E7DE3647E61964C0335
SHA1:	CECC3DD41F4CEA0192B24300C71E1911BD4FCE45
SHA-256:	0D6803758FF8F87081FAFD62E90F0950DFB2DD7991E9607FE76A8F92D0E893FA
SHA-512:	DDE24D5AD50D68FC91E9E325D31E66EF8F624B6BB3A07D14FFED1104D3AB5F4EF1D7969A5CDE0DFBB19CB31C506F7DE97AF67C2F244F7E7E8E10648EA8321101
Malicious:	false
Reputation:	low
Preview:	BDic.... ....6...."..Z..4g....6.2...{/...3...5....AF 1363.AF nm.AF pt.AF n1.AF p.AF tc.AF SM.AF M.AF S.AF MS.AF MNR.AF GDS.AF MNT.AF MH.AF MR.AF SZMR.AF MJ.AF MT.AF MY.AF MRZ.AF MN.AF MG.AF RM.AF N.AF MV.AF XM.AF DSM.AF SD.AF G.AF R.AF MNX.AF MRS.AF MD.AF MNRB.AF B.AF ZSMR.AF PM.AF SMNGJ.AF SMN.AF ZMR.AF SMGB.AF MZR.AF GM.AF SMR.AF SMDG.AF RMZ.AF ZM.AF MDG.AF MDT.AF SMNXT.AF SDY.AF LSDG.AF LGDS.AF GLDS.AF UY.AF U.AF DSGNX.AF GNDSX.AF DSG.AF Y.AF GS.AF IEMS.AF YP.AF ZGDRS.AF XGNVDS.AF UT.AF GNDS.AF GVDS.AF MYPS.AF XGNDS.AF TPRY.AF MDSG.AF ZGSDR.AF DYSG.AF PMYTNS.AF AGDS.AF DRZGS.AF PY.AF GSPMDY.AF EGVDS.AF SL.AF GNXDS.AF DSBG.AF IM.AF I.AF MDGS.AF SMY.AF DSGN.AF DSLG.AF GMDS.AF MDSBG.AF SGD.AF IY.AF P.AF DSMG.AF BLZGDRS.AF TR.AF AGSD.AF ZGBDRSL.AF PTRY.AF ASDGV.AF ASM.AF ICANGSD.AF ICAM.AF IKY.AF AMS.AF PMYTRS.AF BZGVDRS.AF SDRBZG.AF GVMDS.AF PSM.AF DGLS.AF GNVXDS.AF AGDSL.AF DGS.AF XDSGNV.AF BZGDRS.AF AM.AF AS.AF A.AF LDSG.AF AGVDS.AF SDG.AF LDSMG.AF EDSMG.AF EY.AF DRSMZG.AF PRYT.AF LZ

Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	Page Title: Microsoft - Login
Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	Page Title: Microsoft - Login

Source: Yara match	File source: 39012.0.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\Downloads\6f9b109d-574d-490d-88c4-a507f995ddcb.tmp, type: DROPPED

Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: Invalid link: Forgot my Password?
Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: Invalid link: Forgot my Password?

Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: HTML title missing
Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: HTML title missing

Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: Number of links: 0

Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: Invalid link: Privacy Statement
Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: Invalid link: Privacy Statement

Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Downloads/Invoice%20173215.pdf.html	HTTP Parser: No <meta name="copyright".. found

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 May 2022 13:50:56 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 15 Mar 2022 22:07:43 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/html
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 May 2022 13:50:56 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 15 Mar 2022 22:07:43 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/html
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 May 2022 13:50:56 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 15 Mar 2022 22:07:43 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/html
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 May 2022 13:50:59 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 15 Mar 2022 22:07:43 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/html
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 May 2022 13:50:59 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 15 Mar 2022 22:07:43 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/html

Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.dr	String found in binary or memory: http://llvm.org/):
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://accounts.google.com
Source: craw_window.js.0.dr	String found in binary or memory: https://accounts.google.com/MergeSession
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://apis.google.com
Source: 6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap
Source: 6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap-icons
Source: 6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/jquery
Source: pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr	String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr	String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json0.0.dr, manifest.json.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: pnacl_public_x86_64_ld_nexe.0.dr	String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.0.dr	String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, f0fd4302-9239-4895-b77e-411880172921.tmp.1.dr, c3a9dd86-9eb3-4b0d-bf28-d02da4b50a71.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://dns.google
Source: 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://doc-0g-3c-docs.googleusercontent.com
Source: Invoice 173215.pdf.html_Zone.Identifier.4.dr	String found in binary or memory: https://doc-0g-3c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/as6j4cm1
Source: 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://drive.google.com
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr	String found in binary or memory: https://fonts.googleapis.com
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com
Source: craw_window.js.0.dr, craw_background.js.0.dr	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://ogs.google.com
Source: craw_window.js.0.dr, manifest.json.0.dr	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://play.google.com
Source: 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://r2---sn-1gi7znes.gvt1.com
Source: 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://redirector.gvt1.com
Source: craw_window.js.0.dr, manifest.json.0.dr	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	String found in binary or memory: https://smtpjs.com/v3/smtp.js
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://ssl.gstatic.com
Source: craw_window.js.0.dr, craw_background.js.0.dr	String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://www.google.com
Source: manifest.json.0.dr	String found in binary or memory: https://www.google.com/
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.0.dr	String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, craw_window.js.0.dr, craw_background.js.0.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://www.googleapis.com
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: f73c7b74-309a-4c40-875b-7634dc278376.tmp.1.dr, 40b45761-9b26-44ab-bf02-3b122b02e091.tmp.1.dr	String found in binary or memory: https://www.gstatic.com
Source: 6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	String found in binary or memory: https://ybron.com/axilor/Office365/bg.jpg
Source: 6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	String found in binary or memory: https://ybron.com/axilor/Office365/mails.js
Source: 6f9b109d-574d-490d-88c4-a507f995ddcb.tmp.0.dr	String found in binary or memory: https://ybron.com/axilor/Office365/microsoft-.svg

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2022 15:50:40.988456011 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:40.988560915 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:40.988668919 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:40.989171028 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:40.989202023 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:40.999043941 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:40.999089956 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:40.999164104 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:40.999530077 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:40.999545097 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.000390053 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.000439882 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.000560999 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.000861883 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.000891924 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.010322094 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:41.010370016 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:41.010461092 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:41.011373997 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:41.011409044 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:41.036959887 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.037507057 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.037534952 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.038156986 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.038275003 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.039654970 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.039758921 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.045356989 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.045732975 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.045818090 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.045866013 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.046062946 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.046107054 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.046348095 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.046430111 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.046449900 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.046499014 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.047250032 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.047323942 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.047595978 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:41.047740936 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:41.069031000 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:41.069503069 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:41.069542885 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:41.070842981 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:41.070976973 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:42.203444958 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.203666925 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.203830957 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.204030037 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.204058886 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.204238892 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.204554081 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:42.204706907 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:42.205266953 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.205286026 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.205437899 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.205457926 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.206218958 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:42.206239939 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:42.233099937 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.233187914 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.233195066 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.233243942 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.246288061 CEST	49743	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.246323109 CEST	443	49743	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.257214069 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:42.257339954 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:42.257348061 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:42.257401943 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:42.281141043 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.291245937 CEST	49746	443	192.168.2.3	142.250.186.77
May 13, 2022 15:50:42.291275024 CEST	443	49746	142.250.186.77	192.168.2.3
May 13, 2022 15:50:42.292805910 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.292826891 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.392821074 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.530869007 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.533477068 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.533576965 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.579195976 CEST	49745	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:42.579230070 CEST	443	49745	142.250.185.238	192.168.2.3
May 13, 2022 15:50:42.709919930 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:42.709955931 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:42.710033894 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:42.710369110 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:42.710381985 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:42.763088942 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:42.794986010 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:42.795007944 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:42.795593023 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:42.795667887 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:42.796766043 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:42.796854019 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:42.802755117 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:42.802978039 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:42.803417921 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:42.803441048 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:42.882314920 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:43.060514927 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:43.060540915 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:43.060626030 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:43.061959982 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:43.061976910 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:43.062030077 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:43.063003063 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:43.063083887 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:43.063086987 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:43.063138008 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:43.121817112 CEST	49751	443	192.168.2.3	142.250.185.193
May 13, 2022 15:50:43.121845961 CEST	443	49751	142.250.185.193	192.168.2.3
May 13, 2022 15:50:54.358697891 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:54.359020948 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:54.359078884 CEST	443	49744	142.250.185.238	192.168.2.3
May 13, 2022 15:50:54.359137058 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:54.359201908 CEST	49744	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:55.528901100 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.529114008 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.529244900 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.529680014 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.529721975 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.625037909 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.625504971 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.625545979 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.626581907 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.626694918 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.643451929 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.643632889 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.643831968 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.643867016 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.673206091 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.673403978 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.716816902 CEST	49776	443	192.168.2.3	109.169.71.112
May 13, 2022 15:50:55.716861010 CEST	443	49776	109.169.71.112	192.168.2.3
May 13, 2022 15:50:55.945271969 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.945322037 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:55.945456982 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.945729971 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.945794106 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:55.945885897 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.946119070 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.946154118 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:55.946233988 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.946471930 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.946489096 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:55.946739912 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.946768999 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:55.946959972 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:55.946980953 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.282104969 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.286799908 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.287051916 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.288924932 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.288963079 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.289216042 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.289257050 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.289546967 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.289587021 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.290163994 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.290286064 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.291117907 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.291223049 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.291343927 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.291610003 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.298368931 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.298540115 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.298888922 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.299128056 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.299527884 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.299815893 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.300000906 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.300040960 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.300126076 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.300163031 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.300529003 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.300554037 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.383373022 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.383377075 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.394339085 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.605645895 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.605773926 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.605865955 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.606132984 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.606210947 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.606282949 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.606746912 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.606832981 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.606908083 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.617477894 CEST	49779	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.617508888 CEST	443	49779	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.618125916 CEST	49778	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.618158102 CEST	443	49778	208.91.199.159	192.168.2.3
May 13, 2022 15:50:56.623707056 CEST	49777	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:56.623758078 CEST	443	49777	208.91.199.159	192.168.2.3
May 13, 2022 15:50:58.600292921 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:58.600363016 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:58.600497961 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:58.600645065 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:58.600707054 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:58.600826979 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:58.604119062 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:58.604162931 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:58.604201078 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:58.604234934 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:58.936150074 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:58.936292887 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:58.937726974 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:58.937880039 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.097165108 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.097201109 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.097548962 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.097636938 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.100361109 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.100387096 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.100744963 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.100847006 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.102734089 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.103002071 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.144501925 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.144511938 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.270098925 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.270114899 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.270190954 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.270199060 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.270265102 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.270325899 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.270327091 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.270337105 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.324315071 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.324353933 CEST	443	49789	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.324368954 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.324428082 CEST	49789	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.325016022 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.325058937 CEST	443	49788	208.91.199.159	192.168.2.3
May 13, 2022 15:50:59.325068951 CEST	49788	443	192.168.2.3	208.91.199.159
May 13, 2022 15:50:59.325107098 CEST	49788	443	192.168.2.3	208.91.199.159

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2022 15:50:40.915493965 CEST	49873	53	192.168.2.3	8.8.8.8
May 13, 2022 15:50:40.922449112 CEST	53802	53	192.168.2.3	8.8.8.8
May 13, 2022 15:50:40.933275938 CEST	53	49873	8.8.8.8	192.168.2.3
May 13, 2022 15:50:40.933851004 CEST	65266	53	192.168.2.3	8.8.8.8
May 13, 2022 15:50:40.940109968 CEST	53	53802	8.8.8.8	192.168.2.3
May 13, 2022 15:50:40.961762905 CEST	53	65266	8.8.8.8	192.168.2.3
May 13, 2022 15:50:42.601218939 CEST	51391	53	192.168.2.3	8.8.8.8
May 13, 2022 15:50:42.629271984 CEST	53	51391	8.8.8.8	192.168.2.3
May 13, 2022 15:50:48.300677061 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:48.324575901 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.326252937 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:48.349764109 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.349793911 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.349811077 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.349828005 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.350282907 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:48.352315903 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:48.406769037 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:48.414421082 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:48.438035965 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.448179007 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.448210955 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.448225021 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.465732098 CEST	443	61383	142.250.185.238	192.168.2.3
May 13, 2022 15:50:48.473216057 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:48.473661900 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:48.473787069 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:50:54.597759008 CEST	52810	53	192.168.2.3	8.8.8.8
May 13, 2022 15:50:55.449970961 CEST	50778	53	192.168.2.3	8.8.8.8
May 13, 2022 15:50:55.453960896 CEST	55151	53	192.168.2.3	8.8.8.8
May 13, 2022 15:50:55.469419003 CEST	53	50778	8.8.8.8	192.168.2.3
May 13, 2022 15:50:55.858757973 CEST	53	55151	8.8.8.8	192.168.2.3
May 13, 2022 15:50:58.174274921 CEST	59795	53	192.168.2.3	8.8.8.8
May 13, 2022 15:50:58.551825047 CEST	53	59795	8.8.8.8	192.168.2.3
May 13, 2022 15:51:03.447864056 CEST	61383	443	192.168.2.3	142.250.185.238
May 13, 2022 15:51:03.489752054 CEST	443	61383	142.250.185.238	192.168.2.3

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:42 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfm X-Goog-Update-Updater: chromecrx-85.0.4183.121 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 13:50:42 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-292tmiRtCw50mSuT7iFNWQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 13 May 2022 13:50:42 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5611 X-Daystart: 24642 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-05-13 13:50:42 UTC	2	IN	Data Raw: 33 36 64 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 36 31 31 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 34 36 34 32 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 36d<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5611" elapsed_seconds="24642"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2022-05-13 13:50:42 UTC	3	IN	Data Raw: 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 61 Data Ascii: mmhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app><a
2022-05-13 13:50:42 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:42 UTC	0	OUT	GET /uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV HTTP/1.1 Host: drive.google.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 13:50:42 UTC	5	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 13 May 2022 13:50:42 GMT Location: https://doc-0g-3c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/as6j4cm1a3j1cera4enkskui1nh5hivr/1652449800000/04750445292818061454//1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV?e=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version= Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-wwxtLVXi/jmJP+sGWn7vkA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'nonce-wwxtLVXi/jmJP+sGWn7vkA' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:42 UTC	1	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 13:50:42 UTC	1	OUT	Data Raw: 20 Data Ascii:
2022-05-13 13:50:42 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 13 May 2022 13:50:42 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: script-src 'report-sample' 'nonce-SxKT9q9R097RBtJ55_zmWg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'nonce-SxKT9q9R097RBtJ55_zmWg' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-05-13 13:50:42 UTC	5	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2022-05-13 13:50:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:42 UTC	6	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/as6j4cm1a3j1cera4enkskui1nh5hivr/1652449800000/04750445292818061454//1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV?e=download HTTP/1.1 Host: doc-0g-3c-docs.googleusercontent.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 13:50:43 UTC	7	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycduHrN7SLGepTMQl34m-YZddeULr0Qf91GjWsRFTPGXx-uCE2MKFdiFtHnxdqu1g8pZcWZqR1ROaLlAbD3tOU5uZf-jENRNJ Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment Access-Control-Allow-Methods: GET,OPTIONS Content-Type: text/html Content-Disposition: attachment;filename="Invoice 173215.pdf.html";filename*=UTF-8''Invoice%20173215.pdf.html Content-Length: 5389 Date: Fri, 13 May 2022 13:50:43 GMT Expires: Fri, 13 May 2022 13:50:43 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=SsKJew== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2022-05-13 13:50:43 UTC	11	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 21 2d 2d 20 62 6f 6f 74 73 74 72 61 70 20 63 73 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> ... bootstrap css --> <link rel="styl
2022-05-13 13:50:43 UTC	15	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 61 73 73 3d 22 6d 62 2d 33 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 35 20 62 6f 72 64 65 72 2d 74 6f 70 2d 30 20 62 6f 72 64 65 72 2d 6c 65 66 74 2d 30 20 62 6f 72 64 65 72 2d 72 69 67 68 74 2d 30 20 62 6f 72 64 65 72 2d 73 65 63 6f 6e 64 61 72 79 20 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 20 70 79 2d 34 20 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 45 6e 74 65 72 20 50 61 73 73 77 6f 72 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 22 20 63 6c 61 73 73 3d 22 6d 79 2d 32 22 3e 53 69 67 6e 20 69 Data Ascii: class="mb-3 border-bottom-5 border-top-0 border-left-0 border-right-0 border-secondary form-control py-4 " placeholder="Enter Password"> <a href="#" class="my-2">Sign i

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:55 UTC	16	OUT	GET /v3/smtp.js HTTP/1.1 Host: smtpjs.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 13:50:55 UTC	16	IN	HTTP/1.1 200 OK Content-Type: application/javascript Last-Modified: Tue, 10 Nov 2020 17:17:51 GMT Accept-Ranges: bytes ETag: "162f436b85b7d61:0" Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Access-Control-Allow-Origin: * Date: Fri, 13 May 2022 13:50:55 GMT Connection: close Content-Length: 871
2022-05-13 13:50:55 UTC	17	IN	Data Raw: ef bb bf 2f 2a 20 53 6d 74 70 4a 53 2e 63 6f 6d 20 2d 20 76 33 2e 30 2e 30 20 2a 2f 0d 0a 76 61 72 20 45 6d 61 69 6c 20 3d 20 7b 20 73 65 6e 64 3a 20 66 75 6e 63 74 69 6f 6e 20 28 61 29 20 7b 20 72 65 74 75 72 6e 20 6e 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 20 28 6e 2c 20 65 29 20 7b 20 61 2e 6e 6f 63 61 63 68 65 20 3d 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 31 65 36 20 2a 20 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 20 2b 20 31 29 2c 20 61 2e 41 63 74 69 6f 6e 20 3d 20 22 53 65 6e 64 22 3b 20 76 61 72 20 74 20 3d 20 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 61 29 3b 20 45 6d 61 69 6c 2e 61 6a 61 78 50 6f 73 74 28 22 68 74 74 70 73 3a 2f 2f 73 6d 74 70 6a 73 2e 63 6f 6d 2f 76 33 2f 73 6d 74 70 6a 73 2e 61 73 70 78 3f 22 2c 20 74 2c 20 66 75 Data Ascii: /* SmtpJS.com - v3.0.0 /var Email = { send: function (a) { return new Promise(function (n, e) { a.nocache = Math.floor(1e6 Math.random() + 1), a.Action = "Send"; var t = JSON.stringify(a); Email.ajaxPost("https://smtpjs.com/v3/smtpjs.aspx?", t, fu

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:56 UTC	18	OUT	GET /axilor/Office365/mails.js HTTP/1.1 Host: ybron.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 13:50:56 UTC	19	IN	HTTP/1.1 404 Not Found Date: Fri, 13 May 2022 13:50:56 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 15 Mar 2022 22:07:43 GMT Accept-Ranges: bytes Content-Length: 583 Vary: Accept-Encoding Content-Type: text/html
2022-05-13 13:50:56 UTC	19	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin {

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:56 UTC	18	OUT	GET /axilor/Office365/microsoft-.svg HTTP/1.1 Host: ybron.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 13:50:56 UTC	20	IN	HTTP/1.1 404 Not Found Date: Fri, 13 May 2022 13:50:56 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 15 Mar 2022 22:07:43 GMT Accept-Ranges: bytes Content-Length: 583 Vary: Accept-Encoding Content-Type: text/html
2022-05-13 13:50:56 UTC	20	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin {

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

C:\Users\user\AppData\Local\Google\Chrome\User Data\324c20de-ba06-4ca2-be22-9e9c6f358695.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\42dc8f85-6252-4824-a24d-e72162f24deb.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\4f4e7672-3996-4c88-ad6f-97abaa820640.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\5ce033d7-5d5e-462c-a7a7-1b4762b67bb7.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\678beecf-c275-4515-9948-6f1787f71987.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\997c4d19-9b0a-44fb-830f-558b10db8aad.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\000001.dbtmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\000002.dbtmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\18b7df34-1bfd-48f7-a468-50ddf6215de4.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\1a9b3cff-5b80-4b99-8985-64189d4f6431.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\40b45761-9b26-44ab-bf02-3b122b02e091.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\46e9f624-000f-4108-9e9e-be6608b2921d.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\5de200f8-a547-4bbe-9868-c3cd8c6b4dfd.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CURRENT (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000003.log

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\MANIFEST-000001

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_1

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Network Persistent State (copy)

Windows Analysis Report
https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:56 UTC	18	OUT	GET /axilor/Office365/bg.jpg HTTP/1.1 Host: ybron.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 13:50:56 UTC	20	IN	HTTP/1.1 404 Not Found Date: Fri, 13 May 2022 13:50:56 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 15 Mar 2022 22:07:43 GMT Accept-Ranges: bytes Content-Length: 583 Vary: Accept-Encoding Content-Type: text/html
2022-05-13 13:50:56 UTC	21	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin {

Timestamp	kBytes transferred	Direction	Data
2022-05-13 13:50:59 UTC	21	OUT	GET /axilor/Office365/bg.jpg HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Host: ybron.com
2022-05-13 13:50:59 UTC	22	IN	HTTP/1.1 404 Not Found Date: Fri, 13 May 2022 13:50:59 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 15 Mar 2022 22:07:43 GMT Accept-Ranges: bytes Content-Length: 583 Vary: Accept-Encoding Content-Type: text/html
2022-05-13 13:50:59 UTC	22	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin {

Target ID:	0
Start time:	15:50:34
Start date:	13/05/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV
Imagebase:	0x7ff7f6290000
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	1
Start time:	15:50:36
Start date:	13/05/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,13766732960856306384,14944723332545166900,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1936 /prefetch:8
Imagebase:	0x7ff7f6290000
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	4
Start time:	15:50:43
Start date:	13/05/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,13766732960856306384,14944723332545166900,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4796 /prefetch:8
Imagebase:	0x7ff7f6290000
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre