Edit tour

Windows Analysis Report
http://apieventemitter.com

Overview

General Information

Sample URL:	http://apieventemitter.com
Analysis ID:	1448094
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Detected non-DNS traffic on DNS port

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6256 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 3804 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1996,i,3111181720416828592,5805943876345877851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5720 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://apieventemitter.com" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET CURRENT_EVENTS TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com) - Source IP: 192.168.2.7 - Destination IP: 158.160.167.238

Timestamp:	05/27/24-19:21:57.110718
SID:	2052019
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com) - Source IP: 192.168.2.7 - Destination IP: 158.160.167.238

Timestamp:	05/27/24-19:21:55.415915
SID:	2052019
Source Port:	49709
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	05/27/24-19:21:55.097157
SID:	2052018
Source Port:	58256
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	05/27/24-19:21:54.231038
SID:	2052018
Source Port:	50973
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	05/27/24-19:21:55.096790
SID:	2052018
Source Port:	56235
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	05/27/24-19:21:54.230911
SID:	2052018
Source Port:	59697
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://apieventemitter.com

Avira URL Cloud: detection malicious, Label: malware

Antivirus detection for URL or domain

Source: https://apieventemitter.com/favicon.ico	Avira URL Cloud: Label: malware
Source: http://apieventemitter.com/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: http://apieventemitter.com

Virustotal: Detection: 18%

Perma Link

Source: https://apieventemitter.com/

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.7:56173 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2052018 ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) 192.168.2.7:59697 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052018 ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) 192.168.2.7:50973 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052018 ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) 192.168.2.7:56235 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052018 ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) 192.168.2.7:58256 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052019 ET CURRENT_EVENTS TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com) 192.168.2.7:49709 -> 158.160.167.238:443
Source: Traffic	Snort IDS: 2052019 ET CURRENT_EVENTS TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com) 192.168.2.7:49710 -> 158.160.167.238:443

Source: global traffic	TCP traffic: 192.168.2.7:56171 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.7:51452 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.7:54588 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: apieventemitter.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: apieventemitter.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://apieventemitter.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: apieventemitter.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: apieventemitter.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: time.windows.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 17:21:56 GMTContent-Type: text/html; charset=utf-8Content-Length: 147Connection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Mon, 27 May 2024 17:21:56 GMTVary: Accept-Encoding
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 17:21:58 GMTContent-Type: text/htmlContent-Length: 548Connection: close

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51458
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51458 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown	HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.7:56173 version: TLS 1.2

Source: classification engine

Classification label: mal72.win@22/2@7/4

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1996,i,3111181720416828592,5805943876345877851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://apieventemitter.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1996,i,3111181720416828592,5805943876345877851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://apieventemitter.com	100%	Avira URL Cloud	malware
http://apieventemitter.com	19%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://apieventemitter.com/favicon.ico	100%	Avira URL Cloud	malware
http://apieventemitter.com/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.google.com	142.250.185.164	true	false	unknown
apieventemitter.com	158.160.167.238	true	true	unknown
time.windows.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://apieventemitter.com/	false		unknown
https://apieventemitter.com/favicon.ico	true	Avira URL Cloud: malware	unknown
http://apieventemitter.com/	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.164	www.google.com	United States	15169	GOOGLEUS	false
158.160.167.238	apieventemitter.com	Venezuela	721	DNIC-ASBLK-00721-00726US	true

Private

IP
192.168.2.7

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448094
Start date and time:	2024-05-27 19:21:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://apieventemitter.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.win@22/2@7/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.185.142, 74.125.206.84, 34.104.35.123, 40.119.148.38, 13.85.23.86, 93.184.221.240, 20.3.187.198, 20.166.126.56, 20.114.59.183, 142.250.186.131, 52.165.165.26
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 108

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	548
Entropy (8bit):	4.688532577858027
Encrypted:	false
SSDEEP:	12:TjeRHVIdtklI5r8INGlTF5TF5TF5TF5TF5TFK:neRH68DTPTPTPTPTPTc
MD5:	370E16C3B7DBA286CFF055F93B9A94D8
SHA1:	65F3537C3C798F7DA146C55AEF536F7B5D0CB943
SHA-256:	D465172175D35D493FB1633E237700022BD849FA123164790B168B8318ACB090
SHA-512:	75CD6A0AC7D6081D35140ABBEA018D1A2608DD936E2E21F61BF69E063F6FA16DD31C62392F5703D7A7C828EE3D4ECC838E73BFF029A98CED8986ACB5C8364966
Malicious:	false
Reputation:	low
URL:	https://apieventemitter.com/favicon.ico
Preview:	<html>..<head><title>404 Not Found</title></head>..<body>..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

Static File Info

⊘No static file info

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/27/24-19:21:57.110718	TCP	2052019	ET CURRENT_EVENTS TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com)	49710	443	192.168.2.7	158.160.167.238
05/27/24-19:21:55.415915	TCP	2052019	ET CURRENT_EVENTS TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com)	49709	443	192.168.2.7	158.160.167.238
05/27/24-19:21:55.097157	UDP	2052018	ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com)	58256	53	192.168.2.7	1.1.1.1
05/27/24-19:21:54.231038	UDP	2052018	ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com)	50973	53	192.168.2.7	1.1.1.1
05/27/24-19:21:55.096790	UDP	2052018	ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com)	56235	53	192.168.2.7	1.1.1.1
05/27/24-19:21:54.230911	UDP	2052018	ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com)	59697	53	192.168.2.7	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 19:21:47.214354992 CEST	49674	443	192.168.2.7	104.98.116.138
May 27, 2024 19:21:47.214395046 CEST	49675	443	192.168.2.7	104.98.116.138
May 27, 2024 19:21:47.398883104 CEST	49672	443	192.168.2.7	104.98.116.138
May 27, 2024 19:21:47.680448055 CEST	49671	443	192.168.2.7	204.79.197.203
May 27, 2024 19:21:47.992675066 CEST	49671	443	192.168.2.7	204.79.197.203
May 27, 2024 19:21:48.602125883 CEST	49671	443	192.168.2.7	204.79.197.203
May 27, 2024 19:21:49.805192947 CEST	49671	443	192.168.2.7	204.79.197.203
May 27, 2024 19:21:52.248466969 CEST	49671	443	192.168.2.7	204.79.197.203
May 27, 2024 19:21:54.354195118 CEST	49704	80	192.168.2.7	158.160.167.238
May 27, 2024 19:21:54.354784012 CEST	49705	80	192.168.2.7	158.160.167.238
May 27, 2024 19:21:54.359265089 CEST	80	49704	158.160.167.238	192.168.2.7
May 27, 2024 19:21:54.359632015 CEST	49704	80	192.168.2.7	158.160.167.238
May 27, 2024 19:21:54.359673023 CEST	80	49705	158.160.167.238	192.168.2.7
May 27, 2024 19:21:54.359726906 CEST	49705	80	192.168.2.7	158.160.167.238
May 27, 2024 19:21:54.359807014 CEST	49704	80	192.168.2.7	158.160.167.238
May 27, 2024 19:21:54.365078926 CEST	80	49704	158.160.167.238	192.168.2.7
May 27, 2024 19:21:54.923475981 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:21:54.923515081 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:21:54.923568010 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:21:54.924030066 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:21:54.924046993 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:21:55.090338945 CEST	80	49704	158.160.167.238	192.168.2.7
May 27, 2024 19:21:55.090363026 CEST	80	49704	158.160.167.238	192.168.2.7
May 27, 2024 19:21:55.090423107 CEST	49704	80	192.168.2.7	158.160.167.238
May 27, 2024 19:21:55.094044924 CEST	49704	80	192.168.2.7	158.160.167.238
May 27, 2024 19:21:55.102741957 CEST	80	49704	158.160.167.238	192.168.2.7
May 27, 2024 19:21:55.415426016 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:55.415493011 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:55.415575027 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:55.415915012 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:55.415940046 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:55.586112022 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:21:55.586637020 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:21:55.586657047 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:21:55.588232994 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:21:55.588306904 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:21:55.591845036 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:21:55.591938019 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:21:55.633033037 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:21:55.633047104 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:21:55.681101084 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:21:56.228940010 CEST	49677	443	192.168.2.7	20.50.201.200
May 27, 2024 19:21:56.414904118 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:56.436515093 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:56.436530113 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:56.440382004 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:56.440465927 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:56.607661009 CEST	49677	443	192.168.2.7	20.50.201.200
May 27, 2024 19:21:56.646847010 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:56.647054911 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:56.647775888 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:56.647788048 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:56.689541101 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:56.820112944 CEST	49674	443	192.168.2.7	104.98.116.138
May 27, 2024 19:21:56.820405006 CEST	49675	443	192.168.2.7	104.98.116.138
May 27, 2024 19:21:56.895750046 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:56.895947933 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:56.896141052 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:56.904851913 CEST	49709	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:56.904872894 CEST	443	49709	158.160.167.238	192.168.2.7
May 27, 2024 19:21:57.007649899 CEST	49672	443	192.168.2.7	104.98.116.138
May 27, 2024 19:21:57.058816910 CEST	49671	443	192.168.2.7	204.79.197.203
May 27, 2024 19:21:57.108215094 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:57.108253002 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:57.110292912 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:57.110718012 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:57.110733032 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:57.366767883 CEST	49677	443	192.168.2.7	20.50.201.200
May 27, 2024 19:21:57.657371044 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:57.657413006 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:57.657557964 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:57.661029100 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:57.661062002 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:57.850642920 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:57.851119041 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:57.851131916 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:57.851484060 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:57.852076054 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:57.852076054 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:57.852091074 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:57.852137089 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:57.899302959 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:58.257874966 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:58.257976055 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:58.258027077 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:58.290513992 CEST	49710	443	192.168.2.7	158.160.167.238
May 27, 2024 19:21:58.290529013 CEST	443	49710	158.160.167.238	192.168.2.7
May 27, 2024 19:21:58.320399046 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:58.320470095 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:58.342149019 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:58.342165947 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:58.343127966 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:58.383457899 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:58.636873960 CEST	443	49698	104.98.116.138	192.168.2.7
May 27, 2024 19:21:58.637306929 CEST	49698	443	192.168.2.7	104.98.116.138
May 27, 2024 19:21:58.713053942 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:58.754503012 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:58.798002005 CEST	56171	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:58.803057909 CEST	53	56171	1.1.1.1	192.168.2.7
May 27, 2024 19:21:58.803141117 CEST	56171	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:58.816965103 CEST	56171	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:58.823851109 CEST	53	56171	1.1.1.1	192.168.2.7
May 27, 2024 19:21:58.867842913 CEST	49677	443	192.168.2.7	20.50.201.200
May 27, 2024 19:21:58.901767015 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:58.901855946 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:58.902132988 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:59.110964060 CEST	49711	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:59.110987902 CEST	443	49711	2.18.97.153	192.168.2.7
May 27, 2024 19:21:59.283654928 CEST	53	56171	1.1.1.1	192.168.2.7
May 27, 2024 19:21:59.336612940 CEST	56171	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:59.481421947 CEST	56171	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:59.489104033 CEST	53	56171	1.1.1.1	192.168.2.7
May 27, 2024 19:21:59.489200115 CEST	56171	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:59.531060934 CEST	56173	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:59.531116009 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:21:59.531202078 CEST	56173	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:59.532042980 CEST	56173	443	192.168.2.7	2.18.97.153
May 27, 2024 19:21:59.532059908 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:22:00.219660044 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:22:00.219734907 CEST	56173	443	192.168.2.7	2.18.97.153
May 27, 2024 19:22:00.224082947 CEST	56173	443	192.168.2.7	2.18.97.153
May 27, 2024 19:22:00.224103928 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:22:00.224425077 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:22:00.228972912 CEST	56173	443	192.168.2.7	2.18.97.153
May 27, 2024 19:22:00.274502039 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:22:00.520102978 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:22:00.520196915 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:22:00.520262957 CEST	56173	443	192.168.2.7	2.18.97.153
May 27, 2024 19:22:00.526463985 CEST	56173	443	192.168.2.7	2.18.97.153
May 27, 2024 19:22:00.526499033 CEST	443	56173	2.18.97.153	192.168.2.7
May 27, 2024 19:22:01.946974993 CEST	49677	443	192.168.2.7	20.50.201.200
May 27, 2024 19:22:05.483715057 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:22:05.483869076 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:22:05.484090090 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:22:06.664448023 CEST	49671	443	192.168.2.7	204.79.197.203
May 27, 2024 19:22:06.952090979 CEST	49708	443	192.168.2.7	142.250.185.164
May 27, 2024 19:22:06.952121973 CEST	443	49708	142.250.185.164	192.168.2.7
May 27, 2024 19:22:07.898808002 CEST	49677	443	192.168.2.7	20.50.201.200
May 27, 2024 19:22:14.004940987 CEST	54588	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:14.009967089 CEST	53	54588	1.1.1.1	192.168.2.7
May 27, 2024 19:22:14.010063887 CEST	54588	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:14.010288954 CEST	54588	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:14.015233040 CEST	53	54588	1.1.1.1	192.168.2.7
May 27, 2024 19:22:14.462629080 CEST	53	54588	1.1.1.1	192.168.2.7
May 27, 2024 19:22:14.465787888 CEST	54588	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:14.471267939 CEST	53	54588	1.1.1.1	192.168.2.7
May 27, 2024 19:22:14.471350908 CEST	54588	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:15.536436081 CEST	51452	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:15.541445017 CEST	53	51452	1.1.1.1	192.168.2.7
May 27, 2024 19:22:15.541527033 CEST	51452	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:15.541600943 CEST	51452	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:15.546521902 CEST	53	51452	1.1.1.1	192.168.2.7
May 27, 2024 19:22:16.191521883 CEST	53	51452	1.1.1.1	192.168.2.7
May 27, 2024 19:22:16.191787958 CEST	51452	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:16.197717905 CEST	53	51452	1.1.1.1	192.168.2.7
May 27, 2024 19:22:16.197770119 CEST	51452	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:19.805418968 CEST	49677	443	192.168.2.7	20.50.201.200
May 27, 2024 19:22:24.972675085 CEST	80	49705	158.160.167.238	192.168.2.7
May 27, 2024 19:22:24.974231958 CEST	80	49705	158.160.167.238	192.168.2.7
May 27, 2024 19:22:24.974309921 CEST	49705	80	192.168.2.7	158.160.167.238
May 27, 2024 19:22:54.989370108 CEST	49705	80	192.168.2.7	158.160.167.238
May 27, 2024 19:22:54.989485025 CEST	49705	80	192.168.2.7	158.160.167.238
May 27, 2024 19:22:54.990561008 CEST	51458	443	192.168.2.7	142.250.185.164
May 27, 2024 19:22:54.990612030 CEST	443	51458	142.250.185.164	192.168.2.7
May 27, 2024 19:22:54.990668058 CEST	51458	443	192.168.2.7	142.250.185.164
May 27, 2024 19:22:54.991122961 CEST	51458	443	192.168.2.7	142.250.185.164
May 27, 2024 19:22:54.991132975 CEST	443	51458	142.250.185.164	192.168.2.7
May 27, 2024 19:22:54.994317055 CEST	80	49705	158.160.167.238	192.168.2.7
May 27, 2024 19:22:54.994385004 CEST	49705	80	192.168.2.7	158.160.167.238
May 27, 2024 19:22:55.625456095 CEST	443	51458	142.250.185.164	192.168.2.7
May 27, 2024 19:22:55.657428026 CEST	51458	443	192.168.2.7	142.250.185.164
May 27, 2024 19:22:55.657458067 CEST	443	51458	142.250.185.164	192.168.2.7
May 27, 2024 19:22:55.658159018 CEST	443	51458	142.250.185.164	192.168.2.7
May 27, 2024 19:22:55.662903070 CEST	51458	443	192.168.2.7	142.250.185.164
May 27, 2024 19:22:55.663003922 CEST	443	51458	142.250.185.164	192.168.2.7
May 27, 2024 19:22:55.712563992 CEST	51458	443	192.168.2.7	142.250.185.164
May 27, 2024 19:23:05.554598093 CEST	443	51458	142.250.185.164	192.168.2.7
May 27, 2024 19:23:05.554755926 CEST	443	51458	142.250.185.164	192.168.2.7
May 27, 2024 19:23:05.554847956 CEST	51458	443	192.168.2.7	142.250.185.164
May 27, 2024 19:23:06.531363010 CEST	51458	443	192.168.2.7	142.250.185.164
May 27, 2024 19:23:06.531402111 CEST	443	51458	142.250.185.164	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 19:21:52.359354019 CEST	53	65411	1.1.1.1	192.168.2.7
May 27, 2024 19:21:52.389081955 CEST	53	54633	1.1.1.1	192.168.2.7
May 27, 2024 19:21:53.398603916 CEST	53	63597	1.1.1.1	192.168.2.7
May 27, 2024 19:21:54.230911016 CEST	59697	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:54.231038094 CEST	50973	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:54.325949907 CEST	53	59697	1.1.1.1	192.168.2.7
May 27, 2024 19:21:54.915117979 CEST	56456	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:54.915167093 CEST	52338	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:54.922293901 CEST	53	52338	1.1.1.1	192.168.2.7
May 27, 2024 19:21:54.922512054 CEST	53	56456	1.1.1.1	192.168.2.7
May 27, 2024 19:21:55.022980928 CEST	53	50973	1.1.1.1	192.168.2.7
May 27, 2024 19:21:55.096790075 CEST	56235	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:55.097157001 CEST	58256	53	192.168.2.7	1.1.1.1
May 27, 2024 19:21:55.360728979 CEST	53	56235	1.1.1.1	192.168.2.7
May 27, 2024 19:21:55.462440014 CEST	53	58256	1.1.1.1	192.168.2.7
May 27, 2024 19:21:58.782066107 CEST	53	57091	1.1.1.1	192.168.2.7
May 27, 2024 19:22:01.024303913 CEST	51735	53	192.168.2.7	1.1.1.1
May 27, 2024 19:22:14.004412889 CEST	53	57693	1.1.1.1	192.168.2.7
May 27, 2024 19:22:15.535619974 CEST	53	54275	1.1.1.1	192.168.2.7
May 27, 2024 19:22:51.441715956 CEST	53	50421	1.1.1.1	192.168.2.7
May 27, 2024 19:22:56.722776890 CEST	138	138	192.168.2.7	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 27, 2024 19:21:55.023065090 CEST	192.168.2.7	1.1.1.1	c225	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 19:21:54.230911016 CEST	192.168.2.7	1.1.1.1	0x1342	Standard query (0)	apieventemitter.com	A (IP address)	IN (0x0001)	false
May 27, 2024 19:21:54.231038094 CEST	192.168.2.7	1.1.1.1	0xee77	Standard query (0)	apieventemitter.com	65	IN (0x0001)	false
May 27, 2024 19:21:54.915117979 CEST	192.168.2.7	1.1.1.1	0x6bd1	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 27, 2024 19:21:54.915167093 CEST	192.168.2.7	1.1.1.1	0xc69	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 27, 2024 19:21:55.096790075 CEST	192.168.2.7	1.1.1.1	0x2c6d	Standard query (0)	apieventemitter.com	A (IP address)	IN (0x0001)	false
May 27, 2024 19:21:55.097157001 CEST	192.168.2.7	1.1.1.1	0x91f8	Standard query (0)	apieventemitter.com	65	IN (0x0001)	false
May 27, 2024 19:22:01.024303913 CEST	192.168.2.7	1.1.1.1	0x613a	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2024 19:21:54.325949907 CEST	1.1.1.1	192.168.2.7	0x1342	No error (0)	apieventemitter.com		158.160.167.238	A (IP address)	IN (0x0001)	false
May 27, 2024 19:21:54.922293901 CEST	1.1.1.1	192.168.2.7	0xc69	No error (0)	www.google.com			65	IN (0x0001)	false
May 27, 2024 19:21:54.922512054 CEST	1.1.1.1	192.168.2.7	0x6bd1	No error (0)	www.google.com		142.250.185.164	A (IP address)	IN (0x0001)	false
May 27, 2024 19:21:55.360728979 CEST	1.1.1.1	192.168.2.7	0x2c6d	No error (0)	apieventemitter.com		158.160.167.238	A (IP address)	IN (0x0001)	false
May 27, 2024 19:22:01.031271935 CEST	1.1.1.1	192.168.2.7	0x613a	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

apieventemitter.com

https:

fs.microsoft.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	158.160.167.238	80	3804	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 19:21:54.359807014 CEST	434	OUT	GET / HTTP/1.1 Host: apieventemitter.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
May 27, 2024 19:21:55.090338945 CEST	351	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 27 May 2024 17:21:54 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close Cache-Control: no-cache, no-store, must-revalidate Expires: Mon, 27 May 2024 17:21:54 GMT Location: https://apieventemitter.com/ Vary: Accept-Encoding Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	158.160.167.238	80	3804	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 19:22:24.972675085 CEST	212	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49709	158.160.167.238	443	3804	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 17:21:56 UTC	662	OUT	GET / HTTP/1.1 Host: apieventemitter.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-27 17:21:56 UTC	273	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 17:21:56 GMT Content-Type: text/html; charset=utf-8 Content-Length: 147 Connection: close Cache-Control: no-cache, no-store, must-revalidate Expires: Mon, 27 May 2024 17:21:56 GMT Vary: Accept-Encoding
2024-05-27 17:21:56 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49710	158.160.167.238	443	3804	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 17:21:57 UTC	594	OUT	GET /favicon.ico HTTP/1.1 Host: apieventemitter.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://apieventemitter.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-27 17:21:58 UTC	143	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 May 2024 17:21:58 GMT Content-Type: text/html Content-Length: 548 Connection: close
2024-05-27 17:21:58 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49711	2.18.97.153	443

Timestamp	Bytes transferred	Direction	Data
2024-05-27 17:21:58 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-27 17:21:58 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=168423 Date: Mon, 27 May 2024 17:21:58 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	56173	2.18.97.153	443

Timestamp	Bytes transferred	Direction	Data
2024-05-27 17:22:00 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-27 17:22:00 UTC	535	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0WwMRYwAAAABe7whxSEuqSJRuLqzPsqCaTE9OMjFFREdFMTcxNQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=168465 Date: Mon, 27 May 2024 17:22:00 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-27 17:22:00 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 6256, Parent PID: 4932

General

Target ID:	0
Start time:	13:21:47
Start date:	27/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3804, Parent PID: 6256

General

Target ID:	1
Start time:	13:21:49
Start date:	27/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1996,i,3111181720416828592,5805943876345877851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5720, Parent PID: 4932

General

Target ID:	3
Start time:	13:21:53
Start date:	27/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://apieventemitter.com"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://apieventemitter.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 108

Static File Info

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6256, Parent PID: 4932

General

Chronological Activities

Analysis Process: chrome.exePID: 3804, Parent PID: 6256

General

Chronological Activities

Analysis Process: chrome.exePID: 5720, Parent PID: 4932

General

Chronological Activities

Disassembly

Windows Analysis Report
http://apieventemitter.com