Edit tour

Windows Analysis Report
http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=

Overview

General Information

Sample URL:	http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=
Analysis ID:	1585214
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected suspicious crossdomain redirect

HTML body contains low number of good links

HTML title does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2024,i,14318130927498366969,5453730431632746573,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6600 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Address: gin_throttle_mw_7200000000_8.46.123.189X-Ratelimit-Limit: 500X-Ratelimit-Remaining: 497X-Ratelimit-Reset: 1736245189Date: Tue, 07 Jan 2025 09:19:49 GMTContent-Length: 0

Source: http://185.91.69.44/t//yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=	HTTP Parser: No favicon
Source: http://185.91.69.44/news?q=This%20link%20is%20locked!	HTTP Parser: No favicon
Source: http://185.91.69.44/news?q=This%20link%20is%20locked!	HTTP Parser: No favicon
Source: http://185.91.69.44/	HTTP Parser: No favicon
Source: http://185.91.69.44/	HTTP Parser: No favicon
Source: http://185.91.69.44/	HTTP Parser: No favicon
Source: http://185.91.69.44/	HTTP Parser: No favicon
Source: http://185.91.69.44/	HTTP Parser: No favicon
Source: http://185.91.69.44/	HTTP Parser: No favicon
Source: http://185.91.69.44/	HTTP Parser: No favicon
Source: http://185.91.69.44/	HTTP Parser: No favicon
Source: http://185.91.69.44/about	HTTP Parser: No favicon
Source: http://185.91.69.44/news	HTTP Parser: No favicon

Source: http://185.91.69.44/	HTTP Parser: No <meta name="author".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="author".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="author".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="author".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="author".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="author".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="author".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="author".. found

Source: http://185.91.69.44/	HTTP Parser: No <meta name="copyright".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="copyright".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="copyright".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="copyright".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="copyright".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="copyright".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="copyright".. found
Source: http://185.91.69.44/	HTTP Parser: No <meta name="copyright".. found

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.38
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.38
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	TCP traffic detected without corresponding DNS query: 185.91.69.44
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Kv3PL3bahS66 HTTP/1.1Host: zpr.ioConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Kv3PL3bahS66 HTTP/1.1Host: zpr.ioConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rd/ HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /t//yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657= HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://185.91.69.44/rd/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://185.91.69.44/t//yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /news?q=This%20link%20is%20locked! HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://185.91.69.44/t//yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://185.91.69.44/news?q=This%20link%20is%20locked!Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/styles.css HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/css,/;q=0.1Referer: http://185.91.69.44/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /about HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://185.91.69.44/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/about_styles.css HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/css,/;q=0.1Referer: http://185.91.69.44/aboutAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://185.91.69.44/aboutAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /news HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://185.91.69.44/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.91.69.44Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://185.91.69.44/newsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: chromecache_54.1.dr, chromecache_56.1.dr	String found in binary or memory: </p><p><a href="https://www.youtube.com/watch?v=3LchMOwRZZg" target="_blank" rel="nofollow noopener">In an open letter</a> shared by the People equals www.youtube.com (Youtube)
Source: chromecache_54.1.dr, chromecache_56.1.dr	String found in binary or memory: </p><p>While the FBI has not confirmed that the New Orleans attacker was directly involved in ISIS, reports have suggested he was apparently sympathetic to the terrorist network and "pledged allegiance to ISIS" in a series of videos posted to his Facebook page, <a href="https://www.nytimes.com/2025/01/01/us/suspect-new-orleans-texan-isis-flag.html" target="_blank" rel="nofollow noopener">according to The New York Times</a>. equals www.facebook.com (Facebook)
Source: chromecache_54.1.dr, chromecache_56.1.dr	String found in binary or memory: <a href="https://www.youtube.com/watch?v=Dck8eZCpglc" target="_blank" rel="nofollow noopener">90-minute interview</a> with popular podcast host Jordan Peterson.</p><p><a href="https://www.foxnews.com/world/canadas-trudeau-announces-resignation-following-party-pressure-amid-criticisms-trump-budget-handling" target="_blank" rel="noopener"><strong>CANADA equals www.youtube.com (Youtube)
Source: chromecache_54.1.dr, chromecache_56.1.dr	String found in binary or memory: <a href="https://www.youtube.com/watch?v=Dtf1Afdz-jg" target="_blank" rel="nofollow noopener">CTV News</a>, before Christmas.</p><p>The incoming Trump administration will almost assuredly deal with a Poilievre government as the Conservatives are poised to win the next Canadian election, which could come as early as this spring. When the House of Commons resumes sitting on March 24, the opposition parties are likely to defeat the minority Liberal government in a vote of no-confidence, which would trigger a national vote.</p><p>In his Peterson interview, Poilievre acknowledged that Trump equals www.youtube.com (Youtube)
Source: chromecache_54.1.dr, chromecache_56.1.dr	String found in binary or memory: <rss xmlns:media="http://search.yahoo.com/mrss/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"> equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: zpr.io
Source: global traffic	DNS traffic detected: DNS query: feeds.foxnews.com
Source: global traffic	DNS traffic detected: DNS query: moxie.foxnews.com
Source: global traffic	DNS traffic detected: DNS query: www.foxnews.com

Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2024,i,14318130927498366969,5453730431632746573,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657="
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2024,i,14318130927498366969,5453730431632746573,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=	0%	Avira URL Cloud	safe
http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=	100%	SlashNext	Fraudulent Website type: Phishing & Social Engineering

Source	Detection	Scanner	Label
http://185.91.69.44/assets/about_styles.css	0%	Avira URL Cloud	safe
https://tps.co.il/articles/it-was-a-shooting-spree-eyewitness-describes-deadly-terror-attack/"	0%	Avira URL Cloud	safe
http://185.91.69.44/favicon.ico	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://185.91.69.44/assets/about_styles.css	false	Avira URL Cloud: safe	unknown
https://zpr.io/Kv3PL3bahS66	false		high
http://185.91.69.44/	false		unknown
http://zpr.io/Kv3PL3bahS66	false		high
http://185.91.69.44/favicon.ico	false	Avira URL Cloud: safe	unknown

IP	Domain	Country	ASN	ASN Name	Malicious
3.224.24.33	unknown	United States	14618	AMAZON-AESUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false
185.91.69.44	unknown	Spain	6739	ONO-ASCableuropa-ONOES	false
34.239.90.156	zpr.io	United States	14618	AMAZON-AESUS	false

Name	IP	Active	Malicious	Reputation
zpr.io	34.239.90.156	true	false	high
www.google.com	142.250.186.164	true	false	high
moxie.foxnews.com	unknown	unknown	false	high
www.foxnews.com	unknown	unknown	false	high
feeds.foxnews.com	unknown	unknown	false	high

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.foxnews.com/live-news/bourbon-street-mass-casualty-incident-new-orleans-live-updates&quo	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/topic/venezuelan-political-crisis"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/world-regions/israel">Israel	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.axios.com/2025/01/02/iran-nuclear-weapon-biden-white-house">according	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/elephant-rips-handler-half-thailand-working-extreme-heat-report"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2020/05/931/523/ISIS-Militant	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/canadas-trudeau-facing-revolt-from-within-popular-conservative-leader-	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/iran-reportedly-executes-california-man-amid-ongoing-execution-spree-m	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.wilsoncenter.org/blog-post/wartime-ukraines-election-dilemma"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/south-korean-president-apologizes-declaring-martial-law-ahead-impeachm	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/court-issues-arrest-warrant-south-koreas-president-yoon"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/politics/biden-administration-imposes-sanctions-against-venezuelan-president	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.jpost.com/breaking-news/article-836258"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/us/crime/police-and-law-enforcement"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/elon-musk-demands-uk-act-grooming-gang-scandal-amid-growing-calls-prob	chromecache_56.1.dr	false		high
https://www.foxnews.com/world/russian-foreign-minister-blasts-ukraine-peace-deal-reportedly-floated-	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/trump-says-turkey-did-unfriendly-takeover-us-brokered-cease-fire-appea	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/venezuelan-opposition-leader-who-claimed-victory-over-maduro-meets-bid	chromecache_56.1.dr	false		high
https://www.foxnews.com/lifestyle/grandmother-12-breaks-guinness-world-record-longest-plank-held-4-5	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/austrian-nationalist-party-leader-rumored-talks-form-government	chromecache_56.1.dr	false		high
https://www.foxbusiness.com/fox-news-world/trudeau-brink-ally-finance-minister-abruptly-quits-over-t	chromecache_56.1.dr	false		high
https://www.nytimes.com/2025/01/01/us/suspect-new-orleans-texan-isis-flag.html"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/iran-regime-immense-pressure-incoming-trump-admin-policies-regional-lo	chromecache_56.1.dr	false		high
https://www.foxnews.com/world/canadian-finance-minister-resigns-trudeau-governments-popularity-floun	chromecache_56.1.dr	false		high
https://www.foxnews.com/politics/trump-weighs-political-turmoil-great-state-canada-trolls-governor-j	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2024/12/931/523/trump-trudeau	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/iran-hides-missile-drone-program-under-guise-commercial-front-evade-sa	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/german-christmas-market-attack-victim-dies-hospital-weeks-later-increa	chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2025/01/931/523/jake.jpg?ve=1	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/darien-jungle-treacherous-route-migrants-becomes-accessible-panama-see	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/100-elephants-die-africas-largest-national-parks-drought"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.reuters.com/world/americas/special-election-loss-adds-misery-cahttps://www.reuters.com/w	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2025/01/931/523/farage-musk.j	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/food-drink/worlds-oldest-man-dead-112-ate-meal-every-friday"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/north-korea-carries-out-first-missile-launch-test-since-trumps-electio	chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2025/01/931/523/gettyimages-2	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/congo-execute-170-people-convicted-armed-robbery-official-says	chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2025/01/931/523/ap25005532727	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/3-americans-congo-sentenced-death-after-coup-attempt"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/trump-could-face-renewed-isis-threat-syria-turkey-goes-after-us-ally&q	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/iran-terror-proxies-amass-israels-borders-ring-fire"><stron	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2024/12/931/523/trudeau-trump	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/world-regions/canada"	chromecache_56.1.dr	false		high
https://www.foxnews.com/world"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/world-regions/saudi-arabia"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.timesofisrael.com/3-israelis-killed-8-wounded-in-west-bank-terror-shooting-idf-hunting-f	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://globalnews.ca/video/10279746/trudeau-says-poilievre-wants-to-make-canada-great-again-in-comp	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/isis-increasingly-unopposed-following-us-withdrawal-from-afghanistan-c	chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2025/01/931/523/tomiko-itooka	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/uncovering-atrocities-assad-regime-its-death-factory-hill"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
http://search.yahoo.com/mrss/	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/us/pro-isis-group-called-muslims-conduct-nye-attacks-ahead-new-orleans-massa	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/20-men-found-guilty-of-raping-more-than-a-dozen-teenage-girls-in-north	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/spanish-woman-believed-oldest-person-world-died-age-117"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/world-regions/israel"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/inside-israels-daring-raid-destroyed-iran-funded-underground-missile-f	chromecache_56.1.dr	false		high
https://www.foxnews.com/world/us-sanctions-21-more-maduro-allies-accused-post-election-repression-ve	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.youtube.com/watch?v=Dck8eZCpglc"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2023/01/931/523/AP23010674340	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/world-regions/south-korea"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/world-regions/africa"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/iran-executes-over-1000-prisoners-2024-highest-total-30-years-report-s	chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2025/01/931/523/472087173_116	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/politics/foreign-policy/human-rights"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/health/cancer/prostate-cancer"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/south-korea-imposes-travel-ban-president-yoon-over-martial-law-declara	chromecache_56.1.dr	false		high
https://www.foxnews.com/world/idf-finds-hezbollah-weapons-cache-underground-tunnel-video"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxbusiness.com/fox-news-us/elon-musk-says-tesla-get-cybertruck-back-road-after-las-vega	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/conflicts/ukraine"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/netanyahu-goes-against-doctors-orders-appears-israeli-parliament-after	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.cbc.ca/news/canada/new-brunswick/dominic-leblanc-new-finance-minister-1.7412779"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/person/donald-trump"	chromecache_56.1.dr	false		high
https://www.foxnews.com/us/1510-children-abused-in-rotherham-sex-scandal-new-report-says"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/netanyahu-undergo-hernia-surgery-full-anesthesia"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/south-koreas-former-defense-minister-attempted-suicide-after-he-arrest	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/person/elon-musk"	chromecache_56.1.dr	false		high
https://www.foxnews.com/world/israel-eyes-iran-nuke-sites-amid-reports-trump-mulls-moves-block-tehra	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/person/justin-trudeau"	chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2025/01/931/523/israelis-trum	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2025/01/931/523/trudeau_poili	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/conflicts/iran">Islamic	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/russian-paramilitary-soldiers-killed-friendly-fire-attack-north-korean	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/north-korea-condemns-south-korea-fascist-dictatorship-after-martial-la	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/world-regions/asia"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/category/world/world-politics"	chromecache_56.1.dr	false		high
https://www.foxnews.com/world/families-israelis-feared-kidnapped-hamas-appeal-international-communit	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/boy-7-survives-5-days-alone-african-game-park-alongside-lions-elephant	chromecache_56.1.dr	false		high
https://www.foxnews.com/lifestyle/viola-the-circus-elephant-with-history-escapes-breaks-free-again-m	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/media/blinken-says-he-has-no-apologies-ending-americas-longest-war-afghanist	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/iran-dissidents-hunger-strike-prisoner-mental-condition-executed-wave-	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://a57.foxnews.com/static.foxnews.com/foxnews.com/content/uploads/2024/11/931/523/north-korea-2	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://tps.co.il/articles/it-was-a-shooting-spree-eyewitness-describes-deadly-terror-attack/"	chromecache_54.1.dr, chromecache_56.1.dr	false	Avira URL Cloud: safe	unknown
https://www.foxnews.com/elections"	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.foxnews.com/world/car-drives-idyllic-germany-christmas-market-suspected-terrorist-attack	chromecache_54.1.dr, chromecache_56.1.dr	false		high
https://www.youtube.com/watch?v=Dtf1Afdz-jg"	chromecache_54.1.dr, chromecache_56.1.dr	false		high

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585214
Start date and time:	2025-01-07 10:18:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@17/21@14/7
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Input	Output
URL: http://zpr.io Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: http://zpr.io
URL: http://185.91.69.44/t//yl4Wu36827Bu431QZ961hL12343... Model: Joe Sandbox AI	{ "risk_score": 5, "reasoning": "The script uses a setTimeout function to redirect the user to a news page with a suspicious query parameter after a 1-second delay. This behavior is considered a moderate risk, as it could potentially lead to a redirect to a malicious or suspicious domain. However, without more context about the script's purpose and the target domain, it's difficult to determine the true intent. Further investigation may be necessary." }
setTimeout(function(){ window.location.href = '/news?q=This link is locked!'; console.log('redirecting to /news?q=This link is locked!'); }, 1000);
URL: http://185.91.69.44/rd/#/yl4Wu36827Bu431QZ961hL123... Model: Joe Sandbox AI	{ "risk_score": 5, "reasoning": "The script appears to be performing a redirect based on a parameter in the URL, which could potentially be used for malicious purposes. While the intent is not immediately clear, the lack of transparency and the use of dynamic URL construction warrant further investigation." }
var tarcking_param = window.location.href.split('#')[1]; if(!tarcking_param){ document.location.href = document.location.href.replace("/rd/", "/t/"); }else{ document.location.href = '/t/'+tarcking_param; }
URL: http://185.91.69.44/... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "The provided JavaScript code appears to be a simple countdown timer and email subscription functionality, which are common and benign web development practices. There are no indicators of high-risk behaviors, such as dynamic code execution, data exfiltration, or redirects to suspicious domains. The code is straightforward and does not exhibit any suspicious or malicious characteristics." }
const launchDate = new Date('2023-05-01T00:00:00').getTime(); const daysElement = document.getElementById('days'); const hoursElement = document.getElementById('hours'); const minutesElement = document.getElementById('minutes'); const secondsElement = document.getElementById('seconds'); function updateCountdown() { const currentTime = new Date().getTime(); const timeRemaining = launchDate - currentTime; const days = Math.floor(timeRemaining / (1000 * 60 * 60 * 24)); const hours = Math.floor((timeRemaining % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60)); const minutes = Math.floor((timeRemaining % (1000 * 60 * 60)) / (1000 * 60)); const seconds = Math.floor((timeRemaining % (1000 * 60)) / 1000); daysElement.textContent = days.toString().padStart(2, '0'); hoursElement.textContent = hours.toString().padStart(2, '0'); minutesElement.textContent = minutes.toString().padStart(2, '0'); secondsElement.textContent = seconds.toString().padStart(2, '0'); } function submitForm(event) { event.preventDefault(); const email = document.getElementById('email').value; document.getElementById('subscription-message').textContent = `Thank you for subscribing, ${email}!`; } updateCountdown(); setInterval(updateCountdown, 1000);
URL: http://185.91.69.44/news?q=This%20link%20is%20lock... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "The provided JavaScript code appears to be a legitimate RSS feed reader that fetches and displays news items from the Fox News World RSS feed. It does not exhibit any high-risk behaviors, such as dynamic code execution, data exfiltration, or redirects to malicious domains. The code uses standard web APIs like `fetch` and `DOMParser` to retrieve and parse the RSS feed, and it simply displays the news items on the page. This script is likely benign and poses a low risk." }
const fetchRSSFeed = async (url) => { const response = await fetch(url); const text = await response.text(); const parser = new DOMParser(); const xml = parser.parseFromString(text, "application/xml"); return xml; }; const displayNewsItems = (xml) => { const newsItemsContainer = document.getElementById("news-items"); const items = xml.querySelectorAll("item"); items.forEach((item) => { const titleElement = item.querySelector("title"); const guidElement = item.querySelector("guid"); const descriptionElement = item.querySelector("description"); const contentElement = item.querySelector("content\\:encoded"); const title = titleElement ? titleElement.textContent : "Untitled"; const guid = guidElement ? guidElement.textContent : "#"; const description = descriptionElement ? descriptionElement.textContent : "No description available."; const content = contentElement ? contentElement.textContent : "No content available."; const newsItem = document.createElement("div"); newsItem.classList.add("news-item"); newsItem.innerHTML = ` <h2><a href="${guid}" target="_blank">${title}</a></h2> <p>${description}</p> <div>${content}</div> `; newsItemsContainer.appendChild(newsItem); }); }; (async () => { const foxNewsWorldRSSFeed = "https://feeds.foxnews.com/foxnews/world"; const xml = await fetchRSSFeed(foxNewsWorldRSSFeed); displayNewsItems(xml); document.getElementById("msg").textContent = new URLSearchParams(window.location.search).get("q"); })();
URL: http://185.91.69.44/news?q=This%20link%20is%20locked! Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/news?q=This%20link%20is%20locked! Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/news?q=This%20link%20is%20locked! Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: http://185.91.69.44/news?q=This%20link%20is%20locked! Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Our Website is Coming Soon!", "prominent_button_name": "Subscribe", "text_input_field_labels": [ "d9cuzv@bqp.com" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Our Website is Coming Soon!", "prominent_button_name": "Subscribe", "text_input_field_labels": ["d9cuzv@bqp.com"], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Our Website is Coming Soon!", "prominent_button_name": "Subscribe", "text_input_field_labels": [ "d9cuzv@bqp.com" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Our Website is Coming Soon!", "prominent_button_name": "Subscribe", "text_input_field_labels": ["3aj7do@fushgc.co"], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Our Website is Coming Soon!", "prominent_button_name": "Subscribe", "text_input_field_labels": ["3aj7do@fushgc.co"], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Our Website is Coming Soon!", "prominent_button_name": "Subscribe", "text_input_field_labels": ["3aj7do@fushgc.co"], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Our Website is Coming Soon!", "prominent_button_name": "Subscribe", "text_input_field_labels": ["ax5v9k@cjij.org"], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Our Website is Coming Soon!", "prominent_button_name": "Subscribe", "text_input_field_labels": ["ax5v9k@cjij.org"], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/about Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Click here to learn more about how our email marketing solutions can help your business grow and thrive.", "prominent_button_name": "Back to the main page", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/ Model: Joe Sandbox AI	{ "brands": [ "Fox News" ] }
	{ "brands": [ "Fox News" ] }
URL: http://185.91.69.44/news Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://185.91.69.44/about Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: http://185.91.69.44/news Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (454), with CRLF line terminators
Category:	downloaded
Size (bytes):	2175
Entropy (8bit):	4.631113781761532
Encrypted:	false
SSDEEP:	48:FmvUUtfTbGHdPJQLwVXjpG6qkdZA98zE9bH2Mjn9TAc:4MUtrbG9bVXsNyA98zEEMjn9TH
MD5:	D12D52DFD54FC029D0A03A7F90713D8F
SHA1:	BC18F2EBE1C100766CAB5BE20FF9B7039C8BE523
SHA-256:	0BFFE4573671DCF865FD0DD0F954AADDDE0AFFCDB853EFB4AA3771BC1D1BEFA7
SHA-512:	E0EA78E62E1BDE920DF89EA538B3092BD0525B6E2DAC5838331E172609282C1AAED5239E578AB6D01E02AB9D889297347AFEC9B61A6ED2343F732CC73BC68556
Malicious:	false
Reputation:	low
URL:	http://185.91.69.44/about
Preview:	........................<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <title>About Us - hurmanitydex.de</title>.. <link rel="stylesheet" href="/assets/about_styles.css">..</head>..<body>..<div class="container">.. <h1>About Our Email Marketing Agency</h1>.. <p>Our email marketing agency specializes in creating effective and engaging email campaigns tailored to meet the unique needs of businesses of all sizes. With a team of experienced marketing professionals, we are dedicated to helping our clients achieve their marketing goals and drive growth through the power of email marketing.</p>.. <p>At our agency, we understand the importance of personalized, targeted email marketing strategies. By combining cutting-edge technology with data-driven insights and creative expertise, we deliver email campaigns that resonate with your audience, foster customer loyalty, and increase

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 10:19:32.168653965 CET	49675	443	192.168.2.4	173.222.162.32
Jan 7, 2025 10:19:41.777926922 CET	49675	443	192.168.2.4	173.222.162.32
Jan 7, 2025 10:19:45.895996094 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:45.896027088 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:45.896136045 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:45.896311998 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:45.896330118 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:46.547890902 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:46.548193932 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:46.548213005 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:46.549205065 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:46.549295902 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:46.550390005 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:46.550455093 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:46.605240107 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:46.605254889 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:46.652117968 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:47.274178982 CET	49739	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:19:47.274445057 CET	49740	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:19:47.279098034 CET	80	49739	34.239.90.156	192.168.2.4
Jan 7, 2025 10:19:47.279175043 CET	49739	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:19:47.279211044 CET	80	49740	34.239.90.156	192.168.2.4
Jan 7, 2025 10:19:47.279266119 CET	49740	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:19:47.279303074 CET	49739	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:19:47.284077883 CET	80	49739	34.239.90.156	192.168.2.4
Jan 7, 2025 10:19:47.740748882 CET	80	49739	34.239.90.156	192.168.2.4
Jan 7, 2025 10:19:47.764884949 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:47.764930010 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:47.764997959 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:47.765217066 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:47.765230894 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:47.796032906 CET	49739	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:19:48.416635990 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:48.416876078 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:48.416906118 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:48.417902946 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:48.417967081 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:48.425081015 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:48.425158978 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:48.425616980 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:48.425626993 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:48.466449022 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:48.531255960 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:48.531347990 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:48.531414986 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:48.544228077 CET	49742	443	192.168.2.4	3.224.24.33
Jan 7, 2025 10:19:48.544269085 CET	443	49742	3.224.24.33	192.168.2.4
Jan 7, 2025 10:19:48.630567074 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:48.635515928 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:48.635586023 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:48.635746956 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:48.640513897 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:49.259999990 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:49.313499928 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:49.315112114 CET	49744	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:49.317089081 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:49.319912910 CET	80	49744	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:49.319999933 CET	49744	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:49.323088884 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:49.550743103 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:49.593487024 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:49.598494053 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:49.603318930 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:49.775950909 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:49.824637890 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:50.592097998 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:50.597894907 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:50.770812035 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:50.770842075 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:50.770854950 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:19:50.771050930 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:19:56.458636999 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:56.458703995 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:56.458782911 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:56.596832991 CET	49737	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:19:56.596857071 CET	443	49737	142.250.186.164	192.168.2.4
Jan 7, 2025 10:19:58.883615017 CET	49723	80	192.168.2.4	2.22.50.131
Jan 7, 2025 10:19:58.888761044 CET	80	49723	2.22.50.131	192.168.2.4
Jan 7, 2025 10:19:58.888830900 CET	49723	80	192.168.2.4	2.22.50.131
Jan 7, 2025 10:20:03.737095118 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:03.741980076 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:03.915024042 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:03.915041924 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:03.915051937 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:03.915111065 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:03.915128946 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:03.915186882 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:03.929773092 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:03.934581995 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:04.108613014 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:04.108633041 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:04.108768940 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:13.479288101 CET	80	49724	217.20.57.38	192.168.2.4
Jan 7, 2025 10:20:13.479398012 CET	49724	80	192.168.2.4	217.20.57.38
Jan 7, 2025 10:20:13.479446888 CET	49724	80	192.168.2.4	217.20.57.38
Jan 7, 2025 10:20:13.484251022 CET	80	49724	217.20.57.38	192.168.2.4
Jan 7, 2025 10:20:15.790697098 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:15.795492887 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:15.968574047 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:15.968589067 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:15.968734026 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:15.986557961 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:15.991324902 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:16.176474094 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:16.222966909 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:27.791568041 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:27.796789885 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:27.969938040 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:27.969949007 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:27.969960928 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:27.970089912 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:32.292855024 CET	49740	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:20:32.297641993 CET	80	49740	34.239.90.156	192.168.2.4
Jan 7, 2025 10:20:32.746074915 CET	49739	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:20:32.750906944 CET	80	49739	34.239.90.156	192.168.2.4
Jan 7, 2025 10:20:34.323627949 CET	49744	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:34.328457117 CET	80	49744	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:39.894867897 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:39.899663925 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:40.072494984 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:40.072515965 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:40.072526932 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:40.072582960 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:40.072591066 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:40.072626114 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:45.951304913 CET	49816	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:20:45.951333046 CET	443	49816	142.250.186.164	192.168.2.4
Jan 7, 2025 10:20:45.951395035 CET	49816	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:20:45.951809883 CET	49816	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:20:45.951818943 CET	443	49816	142.250.186.164	192.168.2.4
Jan 7, 2025 10:20:46.581557989 CET	443	49816	142.250.186.164	192.168.2.4
Jan 7, 2025 10:20:46.581960917 CET	49816	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:20:46.581979990 CET	443	49816	142.250.186.164	192.168.2.4
Jan 7, 2025 10:20:46.582329988 CET	443	49816	142.250.186.164	192.168.2.4
Jan 7, 2025 10:20:46.582648039 CET	49816	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:20:46.582750082 CET	443	49816	142.250.186.164	192.168.2.4
Jan 7, 2025 10:20:46.636804104 CET	49816	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:20:47.650808096 CET	80	49740	34.239.90.156	192.168.2.4
Jan 7, 2025 10:20:47.650916100 CET	49740	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:20:47.744743109 CET	80	49739	34.239.90.156	192.168.2.4
Jan 7, 2025 10:20:47.744832993 CET	49739	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:20:48.263670921 CET	49740	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:20:48.263695955 CET	49739	80	192.168.2.4	34.239.90.156
Jan 7, 2025 10:20:48.268531084 CET	80	49740	34.239.90.156	192.168.2.4
Jan 7, 2025 10:20:48.268543959 CET	80	49739	34.239.90.156	192.168.2.4
Jan 7, 2025 10:20:50.263801098 CET	49744	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:50.268837929 CET	80	49744	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:50.268944979 CET	49744	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:52.070341110 CET	49859	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:52.071739912 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:52.075213909 CET	80	49859	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:52.075299025 CET	49859	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:52.076581955 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:52.249680042 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:52.249703884 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:52.249722958 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:52.249735117 CET	80	49743	185.91.69.44	192.168.2.4
Jan 7, 2025 10:20:52.249872923 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:52.253475904 CET	49743	80	192.168.2.4	185.91.69.44
Jan 7, 2025 10:20:56.500715017 CET	443	49816	142.250.186.164	192.168.2.4
Jan 7, 2025 10:20:56.500793934 CET	443	49816	142.250.186.164	192.168.2.4
Jan 7, 2025 10:20:56.500844002 CET	49816	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:20:57.334930897 CET	49816	443	192.168.2.4	142.250.186.164
Jan 7, 2025 10:20:57.334954977 CET	443	49816	142.250.186.164	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 10:19:41.973413944 CET	53	64025	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:42.007734060 CET	53	56635	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:42.994174004 CET	53	50577	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:45.887829065 CET	51893	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:45.887943983 CET	50048	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:45.894469976 CET	53	50048	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:45.894756079 CET	53	51893	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:47.243654013 CET	61797	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:47.243787050 CET	64285	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:47.253330946 CET	53	61797	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:47.276663065 CET	53	64285	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:47.743127108 CET	55266	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:47.743287086 CET	63700	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:47.757285118 CET	53	55266	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:47.765121937 CET	53	63700	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:50.793267965 CET	51993	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:50.793417931 CET	61603	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:50.815145016 CET	53	61603	1.1.1.1	192.168.2.4
Jan 7, 2025 10:19:51.393899918 CET	50777	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:51.394063950 CET	52416	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:52.760070086 CET	54233	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:52.760299921 CET	62109	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:53.131833076 CET	63562	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:53.131983995 CET	58387	53	192.168.2.4	1.1.1.1
Jan 7, 2025 10:19:59.330024958 CET	138	138	192.168.2.4	192.168.2.255
Jan 7, 2025 10:20:00.285105944 CET	53	54238	1.1.1.1	192.168.2.4
Jan 7, 2025 10:20:04.140742064 CET	53	52883	1.1.1.1	192.168.2.4
Jan 7, 2025 10:20:19.332762957 CET	53	57568	1.1.1.1	192.168.2.4
Jan 7, 2025 10:20:41.051913977 CET	53	63242	1.1.1.1	192.168.2.4
Jan 7, 2025 10:20:42.420197964 CET	53	54986	1.1.1.1	192.168.2.4

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 7, 2025 10:19:47.276741982 CET	192.168.2.4	1.1.1.1	c22c	(Port unreachable)	Destination Unreachable
Jan 7, 2025 10:19:53.162276030 CET	192.168.2.4	1.1.1.1	c271	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 10:19:47.279303074 CET	433	OUT	GET /Kv3PL3bahS66 HTTP/1.1 Host: zpr.io Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Jan 7, 2025 10:19:47.740748882 CET	338	IN	HTTP/1.1 301 Moved Permanently Server: awselb/2.0 Date: Tue, 07 Jan 2025 09:19:47 GMT Content-Type: text/html Content-Length: 134 Connection: keep-alive Location: https://zpr.io:443/Kv3PL3bahS66 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center></body></html>
Jan 7, 2025 10:20:32.746074915 CET	6	OUT	Data Raw: 00 Data Ascii:

Timestamp	Bytes transferred	Direction	Data
2025-01-07 09:19:48 UTC	661	OUT	GET /Kv3PL3bahS66 HTTP/1.1 Host: zpr.io Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-07 09:19:48 UTC	174	IN	HTTP/1.1 302 FOUND Date: Tue, 07 Jan 2025 09:19:48 GMT Content-Type: text/html; charset=utf-8 Content-Length: 233 Connection: close Location: http://185.91.69.44/rd/
2025-01-07 09:19:48 UTC	233	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 73 68 6f 75 6c 64 20 62 65 20 72 65 64 69 72 65 63 74 65 64 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 74 6f 20 74 68 65 20 74 61 72 67 65 74 20 55 52 4c 3a 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 31 38 35 2e 39 31 2e 36 39 2e 34 34 2f 72 64 2f 22 3e 68 74 74 70 3a 2f 2f 31 38 35 2e 39 31 2e 36 39 2e 34 34 2f 72 64 2f 3c 2f 61 3e 2e 20 49 66 20 6e 6f 74 2c 20 63 6c 69 63 6b 20 74 68 65 20 6c 69 6e 6b 2e 0a Data Ascii: <!doctype html><html lang=en><title>Redirecting...</title><h1>Redirecting...</h1><p>You should be redirected automatically to the target URL: <a href="http://185.91.69.44/rd/">http://185.91.69.44/rd/</a>. If not, click the link.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 47

Chrome Cache Entry: 48

Chrome Cache Entry: 49

Chrome Cache Entry: 50

Chrome Cache Entry: 51

Chrome Cache Entry: 52

Chrome Cache Entry: 53

Chrome Cache Entry: 54

Chrome Cache Entry: 55

Chrome Cache Entry: 56

Chrome Cache Entry: 57

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 2300, Parent PID: 2696

Windows Analysis Report
http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=

Target ID:	0
Start time:	04:19:36
Start date:	07/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	1
Start time:	04:19:40
Start date:	07/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2024,i,14318130927498366969,5453730431632746573,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	04:19:46
Start date:	07/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657="
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre