Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
edgedl.gvt1.com | 142.250.34.2 | |
paste.ee | 104.26.4.223 |
- UDP Requests
-
-
192.168.56.102:50839 164.124.101.2:53
-
192.168.56.102:54660 164.124.101.2:53
-
192.168.56.102:57660 164.124.101.2:53
-
192.168.56.102:61459 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:56752 239.255.255.250:1900
-
192.168.56.102:56754 239.255.255.250:3702
-
192.168.56.102:56756 239.255.255.250:3702
-
192.168.56.102:57661 239.255.255.250:3702
-
GET
200
https://paste.ee/r/oSlYJ
REQUEST
RESPONSE
BODY
GET /r/oSlYJ HTTP/1.1
Host: paste.ee
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 22 Apr 2021 08:19:59 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d9e936a80cc8b667e68f508406a3bc6ee1619079599; expires=Sat, 22-May-21 08:19:59 GMT; path=/; domain=.paste.ee; HttpOnly; SameSite=Lax
Cache-Control: max-age=2592000
Strict-Transport-Security: max-age=63072000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
CF-Cache-Status: HIT
Age: 30982
cf-request-id: 099a432f580000d32eef1ce000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=iriLzb5KWfU0SS7VvmE50z9UGSQTQTmaf5bU7aXwcu%2Fgz1jYrMUlw3s2VyNvGKjt%2Fjq2UytPgoM6iqWyV3Q5ZI46dYqFWmbk0Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 643d6e2bcabdd32e-LAX
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET
200
https://paste.ee/r/p7EHC
REQUEST
RESPONSE
BODY
GET /r/p7EHC HTTP/1.1
Host: paste.ee
HTTP/1.1 200 OK
Date: Thu, 22 Apr 2021 08:20:01 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=df4394dfaee39508e62c75dd8ef97c8e61619079601; expires=Sat, 22-May-21 08:20:01 GMT; path=/; domain=.paste.ee; HttpOnly; SameSite=Lax
Cache-Control: max-age=2592000
Strict-Transport-Security: max-age=63072000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
CF-Cache-Status: HIT
Age: 30982
cf-request-id: 099a43352a0000d32ebb16d000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Vd7rU30mbpfky36y%2FplwoUJCRcZ1Uoh7yXqRN3EVBicr7hQnZR6h9w9K83Txwxwat3GfkRc0jkt514C5PeljvMSNKXX6mncX3g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 643d6e351914d32e-LAX
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET
204
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.32&applang=&machine=1&version=1.3.36.32&userid=&osversion=6.1&servicepack=Service%20Pack%201
REQUEST
RESPONSE
BODY
GET /service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.32&applang=&machine=1&version=1.3.36.32&userid=&osversion=6.1&servicepack=Service%20Pack%201 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Google Update/1.3.36.32;winhttp
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: clients2.google.com
HTTP/1.1 204 No Content
Date: Thu, 22 Apr 2021 08:21:23 GMT
Server: GSE
Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
POST
200
https://update.googleapis.com/service/update2?cup2key=10:2713802909&cup2hreq=8cab5512950206d82ca4581cc9d1ccfba8c54dfd64bf2baf0aa7e90da4734256
REQUEST
RESPONSE
BODY
POST /service/update2?cup2key=10:2713802909&cup2hreq=8cab5512950206d82ca4581cc9d1ccfba8c54dfd64bf2baf0aa7e90da4734256 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Google Update/1.3.36.32;winhttp;cup-ecdsa
X-Old-UID: cnt=0
X-Goog-Update-AppId: {430FD4D0-B729-4F61-AA34-91526481799D},{8A69D345-D564-463C-AFF1-A69D9E530F96}
X-Goog-Update-Updater: Omaha-1.3.36.32
X-Goog-Update-Interactivity: bg
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Content-Length: 1202
Host: update.googleapis.com
HTTP/1.1 200 OK
Content-Security-Policy: script-src 'report-sample' 'nonce-hXFMSqi/jmcKiTjUoyKd4A' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 22 Apr 2021 08:21:27 GMT
X-Cup-Server-Proof: 3045022100d3d6d7461ac242465a07b3e0cf676b526c087876e72f2e9ecb1c48171fadcf24022068cd5c618ae14d7f634e45db7dc74e88cc79695228aeb89c414c7b8c8ff7a5e1:8cab5512950206d82ca4581cc9d1ccfba8c54dfd64bf2baf0aa7e90da4734256
Content-Type: text/xml; charset=UTF-8
X-Daynum: 5225
X-Daystart: 4887
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
HEAD
200
http://edgedl.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
REQUEST
RESPONSE
BODY
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: edgedl.gvt1.com
HTTP/1.1 200 OK
accept-ranges: bytes
content-disposition: attachment
content-length: 1310832
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "9f6104"
last-modified: Tue, 13 Apr 2021 03:03:58 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 22 Apr 2021 08:17:31 GMT
age: 239
cache-control: public,max-age=3600
GET
206
http://edgedl.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
REQUEST
RESPONSE
BODY
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-4915
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: edgedl.gvt1.com
HTTP/1.1 206 Partial Content
accept-ranges: bytes
content-disposition: attachment
content-length: 4916
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "9f6104"
last-modified: Tue, 13 Apr 2021 03:03:58 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 22 Apr 2021 08:17:31 GMT
age: 258
content-range: bytes 0-4915/1310832
cache-control: public,max-age=3600
GET
206
http://edgedl.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
REQUEST
RESPONSE
BODY
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=4916-13188
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: edgedl.gvt1.com
HTTP/1.1 206 Partial Content
accept-ranges: bytes
content-disposition: attachment
content-length: 8273
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "9f6104"
last-modified: Tue, 13 Apr 2021 03:03:58 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 22 Apr 2021 08:21:20 GMT
age: 34
content-range: bytes 4916-13188/1310832
cache-control: public,max-age=3600
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49810 -> 104.26.5.223:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49814 -> 142.250.204.110:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 142.250.34.2:80 -> 192.168.56.102:49816 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 142.250.34.2:80 -> 192.168.56.102:49816 | 2014520 | ET INFO EXE - Served Attached HTTP | Misc activity |
TCP 192.168.56.102:49815 -> 172.217.161.131:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49810 104.26.5.223:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | e8:17:95:f3:a8:85:c4:14:59:ce:21:47:7d:34:50:64:8f:1c:2b:7f |
TLS 1.2 192.168.56.102:49814 142.250.204.110:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com | 2f:5c:43:f2:d2:53:75:f8:0a:ac:79:a2:90:87:26:97:e9:8a:c9:0a |
TLS 1.2 192.168.56.102:49815 172.217.161.131:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22 |
Snort Alerts
No Snort Alerts