Edit tour

Windows Analysis Report
https://sa1.io/zGQ3

Overview

General Information

Sample URL:	https://sa1.io/zGQ3
Analysis ID:	1622294
Infos:

Detection

Score:	2
Range:	0 - 100
Confidence:	80%

Signatures

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected suspicious crossdomain redirect

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2296,i,14037343437910746094,12242113236119137060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sa1.io/zGQ3" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Phishing
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://awelassekinsupp.onthewifi.com/nl/

HTTP Parser: No favicon

Source: global traffic

TCP traffic: 192.168.2.4:56452 -> 1.1.1.1:53

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: sa1.io to https://awelassekinsupp.onthewifi.com/nl

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.153.178
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.153.178
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.41
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.41
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /zGQ3 HTTP/1.1Host: sa1.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /nl HTTP/1.1Host: awelassekinsupp.onthewifi.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /nl/ HTTP/1.1Host: awelassekinsupp.onthewifi.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: awelassekinsupp.onthewifi.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://awelassekinsupp.onthewifi.com/nl/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=dk2f2gmcuom9uat1jrbqhj43v9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: sa1.io
Source: global traffic	DNS traffic detected: DNS query: awelassekinsupp.onthewifi.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 23 Feb 2025 16:18:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 150Connection: closeX-Powered-By: PHP/8.3.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=dk2f2gmcuom9uat1jrbqhj43v9; path=/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 23 Feb 2025 16:18:44 GMTContent-Type: text/htmlContent-Length: 808Connection: closeLast-Modified: Sun, 09 Feb 2025 22:08:48 GMTETag: "328-62dbcd6098dac"Accept-Ranges: bytes

Source: sets.json.0.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.0.dr	String found in binary or memory: https://24.hu
Source: sets.json.0.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.0.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.0.dr	String found in binary or memory: https://alice.tw
Source: sets.json.0.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.0.dr	String found in binary or memory: https://autobild.de
Source: sets.json.0.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.0.dr	String found in binary or memory: https://bild.de
Source: sets.json.0.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.0.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.0.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.0.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.0.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.0.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.0.dr	String found in binary or memory: https://bunsin.io
Source: sets.json.0.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.0.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.0.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.0.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.0.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.0.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.0.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.0.dr	String found in binary or memory: https://chennien.com
Source: sets.json.0.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.0.dr	String found in binary or memory: https://clarosports.com
Source: sets.json.0.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.0.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.0.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.0.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.0.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.0.dr	String found in binary or memory: https://cookreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.0.dr	String found in binary or memory: https://css-load.com
Source: sets.json.0.dr	String found in binary or memory: https://datasign.jp
Source: sets.json.0.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.0.dr	String found in binary or memory: https://deere.com
Source: sets.json.0.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.0.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.0.dr	String found in binary or memory: https://drimer.io
Source: sets.json.0.dr	String found in binary or memory: https://drimer.travel
Source: sets.json.0.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.0.dr	String found in binary or memory: https://een.be
Source: sets.json.0.dr	String found in binary or memory: https://efront.com
Source: sets.json.0.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.0.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.0.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.0.dr	String found in binary or memory: https://ella.sv
Source: sets.json.0.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.0.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.0.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.0.dr	String found in binary or memory: https://finn.no
Source: sets.json.0.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.0.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.0.dr	String found in binary or memory: https://gettalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.0.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.0.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://grid.id
Source: sets.json.0.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.0.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.0.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.0.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://hapara.com
Source: sets.json.0.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.global
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.0.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.0.dr	String found in binary or memory: https://hearty.app
Source: sets.json.0.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.0.dr	String found in binary or memory: https://hearty.me
Source: sets.json.0.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.0.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.0.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.0.dr	String found in binary or memory: https://hj.rs
Source: sets.json.0.dr	String found in binary or memory: https://hjck.com
Source: sets.json.0.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.0.dr	String found in binary or memory: https://html-load.com
Source: sets.json.0.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.0.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.0.dr	String found in binary or memory: https://img-load.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.0.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.0.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.0.dr	String found in binary or memory: https://interia.pl
Source: sets.json.0.dr	String found in binary or memory: https://intoday.in
Source: sets.json.0.dr	String found in binary or memory: https://iolam.it
Source: sets.json.0.dr	String found in binary or memory: https://ishares.com
Source: sets.json.0.dr	String found in binary or memory: https://jagran.com
Source: sets.json.0.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.0.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.0.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.0.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.0.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.0.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.0.dr	String found in binary or memory: https://libero.it
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.0.dr	String found in binary or memory: https://livechat.com
Source: sets.json.0.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.0.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.0.dr	String found in binary or memory: https://livemint.com
Source: sets.json.0.dr	String found in binary or memory: https://max.auto
Source: sets.json.0.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.0.dr	String found in binary or memory: https://meo.pt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.0.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.0.dr	String found in binary or memory: https://money.pl
Source: sets.json.0.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.0.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://nacion.com
Source: sets.json.0.dr	String found in binary or memory: https://naukri.com
Source: sets.json.0.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.co
Source: sets.json.0.dr	String found in binary or memory: https://nien.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.org
Source: sets.json.0.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.0.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.0.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.0.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.0.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.0.dr	String found in binary or memory: https://o2.pl
Source: sets.json.0.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.0.dr	String found in binary or memory: https://onet.pl
Source: sets.json.0.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.0.dr	String found in binary or memory: https://p106.net
Source: sets.json.0.dr	String found in binary or memory: https://p24.hu
Source: sets.json.0.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.0.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.0.dr	String found in binary or memory: https://player.pl
Source: sets.json.0.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.0.dr	String found in binary or memory: https://poalim.site
Source: sets.json.0.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.0.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.0.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.0.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.0.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.0.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://radio1.be
Source: sets.json.0.dr	String found in binary or memory: https://radio2.be
Source: sets.json.0.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://repid.org
Source: sets.json.0.dr	String found in binary or memory: https://reshim.org
Source: sets.json.0.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.0.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.0.dr	String found in binary or memory: https://samayam.com
Source: sets.json.0.dr	String found in binary or memory: https://sapo.io
Source: sets.json.0.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.0.dr	String found in binary or memory: https://shock.co
Source: sets.json.0.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.0.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.0.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.0.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.0.dr	String found in binary or memory: https://songshare.com
Source: sets.json.0.dr	String found in binary or memory: https://songstats.com
Source: sets.json.0.dr	String found in binary or memory: https://sporza.be
Source: sets.json.0.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.0.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.0.dr	String found in binary or memory: https://stripe.com
Source: sets.json.0.dr	String found in binary or memory: https://stripe.network
Source: sets.json.0.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.0.dr	String found in binary or memory: https://supereva.it
Source: sets.json.0.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.0.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.0.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.0.dr	String found in binary or memory: https://text.com
Source: sets.json.0.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://the42.ie
Source: sets.json.0.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.0.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.0.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.0.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.0.dr	String found in binary or memory: https://top.pl
Source: sets.json.0.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.0.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://tvid.in
Source: sets.json.0.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.0.dr	String found in binary or memory: https://unotv.com
Source: sets.json.0.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.0.dr	String found in binary or memory: https://vrt.be
Source: sets.json.0.dr	String found in binary or memory: https://vwo.com
Source: sets.json.0.dr	String found in binary or memory: https://webtru.io
Source: sets.json.0.dr	String found in binary or memory: https://welt.de
Source: sets.json.0.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.0.dr	String found in binary or memory: https://wildix.com
Source: sets.json.0.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.0.dr	String found in binary or memory: https://wingify.com
Source: sets.json.0.dr	String found in binary or memory: https://wordle.at
Source: sets.json.0.dr	String found in binary or memory: https://wp.pl
Source: sets.json.0.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.0.dr	String found in binary or memory: https://www.asadcdn.com
Source: sets.json.0.dr	String found in binary or memory: https://ya.ru
Source: sets.json.0.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://zalo.me
Source: sets.json.0.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://zingmp3.vn
Source: sets.json.0.dr	String found in binary or memory: https://zoom.com
Source: sets.json.0.dr	String found in binary or memory: https://zoom.us

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56465
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 56465 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_2496_247245892

Jump to behavior

Source: classification engine

Classification label: clean2.win@18/7@6/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2296,i,14037343437910746094,12242113236119137060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sa1.io/zGQ3"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2296,i,14037343437910746094,12242113236119137060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://sa1.io/zGQ3	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.google.com	142.250.181.228	true	false	high
sa1.io	3.33.150.176	true	false	high
awelassekinsupp.onthewifi.com	209.38.22.32	true	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://wieistmeineip.de	sets.json.0.dr	false	high
https://mercadoshops.com.co	sets.json.0.dr	false	high
https://gliadomain.com	sets.json.0.dr	false	high
https://poalim.xyz	sets.json.0.dr	false	high
https://mercadolivre.com	sets.json.0.dr	false	high
https://reshim.org	sets.json.0.dr	false	high
https://nourishingpursuits.com	sets.json.0.dr	false	high
https://medonet.pl	sets.json.0.dr	false	high
https://unotv.com	sets.json.0.dr	false	high
https://mercadoshops.com.br	sets.json.0.dr	false	high
https://joyreactor.cc	sets.json.0.dr	false	high
https://zdrowietvn.pl	sets.json.0.dr	false	high
https://johndeere.com	sets.json.0.dr	false	high
https://songstats.com	sets.json.0.dr	false	high
https://baomoi.com	sets.json.0.dr	false	high
https://supereva.it	sets.json.0.dr	false	high
https://elfinancierocr.com	sets.json.0.dr	false	high
https://bolasport.com	sets.json.0.dr	false	high
https://rws1nvtvt.com	sets.json.0.dr	false	high
https://desimartini.com	sets.json.0.dr	false	high
https://hearty.app	sets.json.0.dr	false	high
https://hearty.gift	sets.json.0.dr	false	high
https://mercadoshops.com	sets.json.0.dr	false	high
https://heartymail.com	sets.json.0.dr	false	high
https://nlc.hu	sets.json.0.dr	false	high
https://p106.net	sets.json.0.dr	false	high
https://radio2.be	sets.json.0.dr	false	high
https://finn.no	sets.json.0.dr	false	high
https://hc1.com	sets.json.0.dr	false	high
https://kompas.tv	sets.json.0.dr	false	high
https://mystudentdashboard.com	sets.json.0.dr	false	high
https://songshare.com	sets.json.0.dr	false	high
https://smaker.pl	sets.json.0.dr	false	high
https://mercadopago.com.mx	sets.json.0.dr	false	high
https://p24.hu	sets.json.0.dr	false	high
https://talkdeskqaid.com	sets.json.0.dr	false	high
https://24.hu	sets.json.0.dr	false	high
https://mercadopago.com.pe	sets.json.0.dr	false	high
https://cardsayings.net	sets.json.0.dr	false	high
https://text.com	sets.json.0.dr	false	high
https://mightytext.net	sets.json.0.dr	false	high
https://pudelek.pl	sets.json.0.dr	false	high
https://hazipatika.com	sets.json.0.dr	false	high
https://joyreactor.com	sets.json.0.dr	false	high
https://cookreactor.com	sets.json.0.dr	false	high
https://wildixin.com	sets.json.0.dr	false	high
https://eworkbookcloud.com	sets.json.0.dr	false	high
https://cognitiveai.ru	sets.json.0.dr	false	high
https://nacion.com	sets.json.0.dr	false	high
https://chennien.com	sets.json.0.dr	false	high
https://drimer.travel	sets.json.0.dr	false	high
https://deccoria.pl	sets.json.0.dr	false	high
https://mercadopago.cl	sets.json.0.dr	false	high
https://talkdeskstgid.com	sets.json.0.dr	false	high
https://naukri.com	sets.json.0.dr	false	high
https://interia.pl	sets.json.0.dr	false	high
https://bonvivir.com	sets.json.0.dr	false	high
https://carcostadvisor.be	sets.json.0.dr	false	high
https://salemovetravel.com	sets.json.0.dr	false	high
https://sapo.io	sets.json.0.dr	false	high
https://wpext.pl	sets.json.0.dr	false	high
https://welt.de	sets.json.0.dr	false	high
https://poalim.site	sets.json.0.dr	false	high
https://drimer.io	sets.json.0.dr	false	high
https://infoedgeindia.com	sets.json.0.dr	false	high
https://blackrockadvisorelite.it	sets.json.0.dr	false	high
https://cognitive-ai.ru	sets.json.0.dr	false	high
https://cafemedia.com	sets.json.0.dr	false	high
https://graziadaily.co.uk	sets.json.0.dr	false	high
https://thirdspace.org.au	sets.json.0.dr	false	high
https://mercadoshops.com.ar	sets.json.0.dr	false	high
https://smpn106jkt.sch.id	sets.json.0.dr	false	high
https://elpais.uy	sets.json.0.dr	false	high
https://landyrev.com	sets.json.0.dr	false	high
https://the42.ie	sets.json.0.dr	false	high
https://commentcamarche.com	sets.json.0.dr	false	high
https://tucarro.com.ve	sets.json.0.dr	false	high
https://rws3nvtvt.com	sets.json.0.dr	false	high
https://eleconomista.net	sets.json.0.dr	false	high
https://helpdesk.com	sets.json.0.dr	false	high
https://mercadolivre.com.br	sets.json.0.dr	false	high
https://clmbtech.com	sets.json.0.dr	false	high
https://standardsandpraiserepurpose.com	sets.json.0.dr	false	high
https://07c225f3.online	sets.json.0.dr	false	high
https://salemovefinancial.com	sets.json.0.dr	false	high
https://mercadopago.com.br	sets.json.0.dr	false	high
https://zoom.us	sets.json.0.dr	false	high
https://commentcamarche.net	sets.json.0.dr	false	high
https://etfacademy.it	sets.json.0.dr	false	high
https://mighty-app.appspot.com	sets.json.0.dr	false	high
https://hj.rs	sets.json.0.dr	false	high
https://hearty.me	sets.json.0.dr	false	high
https://mercadolibre.com.gt	sets.json.0.dr	false	high
https://timesinternet.in	sets.json.0.dr	false	high
https://indiatodayne.in	sets.json.0.dr	false	high
https://idbs-staging.com	sets.json.0.dr	false	high
https://blackrock.com	sets.json.0.dr	false	high
https://idbs-eworkbook.com	sets.json.0.dr	false	high
https://motherandbaby.com	sets.json.0.dr	false	high
https://mercadolibre.co.cr	sets.json.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.181.228	www.google.com	United States	15169	GOOGLEUS	false
3.33.150.176	sa1.io	United States	8987	AMAZONEXPANSIONGB	false
209.38.22.32	awelassekinsupp.onthewifi.com	United States	7018	ATT-INTERNET4US	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1622294
Start date and time:	2025-02-23 17:17:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://sa1.io/zGQ3
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.win@18/7@6/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 142.250.185.206, 142.251.168.84, 142.250.185.238, 142.250.186.174, 142.250.181.238, 199.232.214.172, 2.23.77.188, 142.250.186.142, 216.58.206.78, 142.250.185.78, 216.58.206.46, 142.250.184.195, 142.250.184.206, 34.104.35.123, 142.250.186.46, 2.19.106.160, 2.18.97.153, 4.175.87.197, 13.107.246.67
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://sa1.io/zGQ3

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Reputation:	low
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	6.016071477261241
Encrypted:	false
SSDEEP:	48:p/hUI1DFp6dAdI37aknWRnjWTHCqBY343lpbjkBMgPMcWdYr:RnDFEQI37aenTe34vbjP9Xu
MD5:	C763E190E16A6AB7278BCD19A87EE814
SHA1:	80387096F161B93A1E2BFE5D0DC4A3F03253C17B
SHA-256:	D0B9603572E0EA17449A0EAEE36DD1BCC034F01B27852E4A47B16BB2CD718C47
SHA-512:	CEB9CA402DF3A3D836AEFD2BE8C6137F306660A2F9BBFE491467A45F797CEB58BDAB5985FA4E896B719FA4644F6F9A7BF4E18EF098663E8AF4D61972BEDA414A
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJxeGI0QVFNLUZOa2RyZEhBNUMzREJjTHRCb1B6X2p6M2RQMWxwNzlYUUE4In0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiUmNuMkdaOUo2VmZVaE05VkxmaXRwbTJSRTFjd2E2QmRtTTZxTXhHSVRBOCJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNS4yLjEyLjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"aTpzdRi_xiuaKaWwRYfy_Yr5ZTfo_lptoFSXyG3jKaARbgHpO9uH_VYBl5_U1-CioAoUdRmQY_LzdxXBXIIUKl1nOiFkPK4WWWkhK_Ddnem_R0tmUoMFYfaIwu5BvZG2m76_K0GF7L17W0qIP1A1KtK5y_vWJ21LJOkEV8bugpE_yE-VBxLUrAdQYV8jWGBbt6Me-60g9f9swMPalRz1DhixbOzdnUTY8UNx84OAnW29uVVxp0Dk-S-

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.8839822796016237
Encrypted:	false
SSDEEP:	3:SqSASSUTWVAV3AR8OEcRDGeWH7u3:SpASSUaVAV3S8O/dWHK3
MD5:	29C67C9443BA1281E826D6994B89A2ED
SHA1:	57DB143FAA3476F1575EB778539F6984C701D047
SHA-256:	5F7886667309D2C54F7121541D0DE1C8097E10B6D9BBB3926C2BCC538DFC3210
SHA-512:	212C93D94E97C397E23A9A71DC0975A9A4049EC27A2E22F2B2DE272624351D13E425647D010DB41228B6A12ADDA85DBB16AD6CF381EA2EC93ED4ED6926A911B0
Malicious:	false
Reputation:	low
Preview:	1.ca4b57e7736ca30dcc3245eb2e2d03f79f739a7864fcacc3b31ac08a67e3a1b9

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.405077845741412
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFCmMARWHJqS1o6A:F6VlM8aRWpqS1ox
MD5:	5CADF08593AC029AE32BCEEB0817D249
SHA1:	6A3BC9ECF1EF7BD5B34933382B5FF6DEFD12E20F
SHA-256:	AB16F801033E14D91DADD1C0E42DC305C2ED0683F3FE3CF774FD65A7BF57400F
SHA-512:	2FBAE0417DC0D86CC631C38ECC44684D356AD707D8F1A21899EB3A82376A6D76EEA88697B0C6DE180C60FFC43B062C7ACEA71D35E120600EB9A1AC992F5EF858
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2025.2.12.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\sets.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	9911
Entropy (8bit):	4.629482317597247
Encrypted:	false
SSDEEP:	96:Mon4mvCuqX19s1blbw/BNKLcxbdmf56MFJtRTGXvcxN43uP+8qJl:v5Cuql7BkIVmtRTGXvcxBsl
MD5:	A37E1072FA7492570CDBD9E27A629C1A
SHA1:	B5D56FADC8824351C34C0C6E85151FD8FD7CC3E3
SHA-256:	B9671DF54E93450E6805481DD78D34B866BAF3FD1269C1358CC273DA33B69CEE
SHA-512:	6372E18C9551E16EC6F879C4300509464AFA52AB5A033F54117E498B80FF3C4F21AD0CD1BD2ECFB081565597FE0E83BD86364529698F7B1A03BF6201BE7D5D35
Malicious:	false
Reputation:	low
Preview:	{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://citybibleforum.org","associatedSites":["https://thirdspace.org.au"]}.{"primary":"https://cognitiveai.ru","associatedSites":["https://cognitive-ai.ru"]}.{"primary":"https://datasign.jp","as

Chrome Cache Entry: 49

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	808
Entropy (8bit):	4.9078093738349065
Encrypted:	false
SSDEEP:	24:hYj0XJU5DgGeRpbufLUwDdVJUSdEj7RtiKAo1Mc:PS5gGe/uTUwhVJJEjCKN1h
MD5:	A943672A32297727BAB01C3E76977550
SHA1:	3A667C4B7A457EF6C586CC581D533C128737BF53
SHA-256:	B9347F234DC3C8D56E015E86D88A1400415DB8F7A5AD91F02B6A2323C10A4187
SHA-512:	0965D415F3A0CEF31953702FDAE345D46FEFD72CE3C4C7A0255AEDE74A76E10B856892700529A444453A622793E0257248C5C99FAE17D5B0B9FD4118E208068C
Malicious:	false
Reputation:	low
URL:	https://awelassekinsupp.onthewifi.com/favicon.ico
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta charset="utf-8">. <meta http-equiv="x-ua-compatible" content="ie=edge">. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">. <title>404 Not Found</title>. <link rel="stylesheet" href="/error_docs/styles.css">.</head>.<body>.<div class="page">. <div class="main">. <h1>Server Error</h1>. <div class="error-code">404</div>. <h2>Page Not Found</h2>. <p class="lead">This page either doesn't exist, or it moved somewhere else.</p>. <hr/>. <p>That's what you can do</p>. <div class="help-actions">. <a href="javascript:location.reload();">Reload Page</a>. <a href="javascript:history.back();">Back to Previous Page</a>. <a href="/">Home Page</a>. </div>. </div>.</div>.</body>.</html>

Static File Info

⊘No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 85
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2025 17:18:31.105222940 CET	49675	443	192.168.2.4	173.222.162.32
Feb 23, 2025 17:18:36.723364115 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:36.723438978 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:36.723524094 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:36.723732948 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:36.723767996 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:37.496145964 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:37.496690035 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:37.496716022 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:37.497936010 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:37.498019934 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:37.499285936 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:37.499366045 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:37.543318033 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:37.543329954 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:37.590487957 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:39.023864985 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.023974895 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.024050951 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.024192095 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.024241924 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.024292946 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.024503946 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.024549007 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.024770021 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.024790049 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.504436970 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.505770922 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.505822897 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.507380962 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.507437944 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.512423992 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.512645006 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.512739897 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.512891054 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.512904882 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.513216019 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.513259888 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.514686108 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.514750004 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.515156031 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.515233040 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.557499886 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.560139894 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.560163975 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.599765062 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.629266024 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.629435062 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.629487038 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.661873102 CET	49742	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:18:39.661904097 CET	443	49742	3.33.150.176	192.168.2.4
Feb 23, 2025 17:18:39.677067041 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:39.677160978 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:39.677486897 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:39.677486897 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:39.677572012 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:40.571604967 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:40.571943045 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:40.571979046 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:40.573441982 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:40.573746920 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:40.575052023 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:40.575052023 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:40.575069904 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:40.575138092 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:40.621999025 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:40.622064114 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:40.670717001 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.091516972 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:41.091698885 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:41.091768026 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.092324018 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.092394114 CET	443	49744	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:41.092427969 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.092456102 CET	49744	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.094938993 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.095022917 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:41.095113993 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.095372915 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.095407963 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:41.995882988 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:41.999444008 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:41.999480009 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:42.000410080 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:42.004378080 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:42.004533052 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:42.004565954 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:42.051341057 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:42.059729099 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:43.186676025 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:43.186861992 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:43.187032938 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:43.188050985 CET	49745	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:43.188075066 CET	443	49745	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:43.271382093 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:43.271465063 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:43.271536112 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:43.273838997 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:43.273860931 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:44.171514034 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:44.174030066 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:44.174069881 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:44.175188065 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:44.175719023 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:44.175895929 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:44.175935030 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:44.219333887 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:44.229233980 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:44.696422100 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:44.696619034 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:44.696681976 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:44.723777056 CET	49746	443	192.168.2.4	209.38.22.32
Feb 23, 2025 17:18:44.723845959 CET	443	49746	209.38.22.32	192.168.2.4
Feb 23, 2025 17:18:47.303536892 CET	49723	80	192.168.2.4	72.247.153.178
Feb 23, 2025 17:18:47.308898926 CET	80	49723	72.247.153.178	192.168.2.4
Feb 23, 2025 17:18:47.308963060 CET	49723	80	192.168.2.4	72.247.153.178
Feb 23, 2025 17:18:47.401089907 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:47.401241064 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:18:47.401298046 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:47.684339046 CET	49739	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:18:47.684372902 CET	443	49739	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:00.872770071 CET	80	49724	217.20.57.41	192.168.2.4
Feb 23, 2025 17:19:00.872926950 CET	49724	80	192.168.2.4	217.20.57.41
Feb 23, 2025 17:19:00.872972965 CET	49724	80	192.168.2.4	217.20.57.41
Feb 23, 2025 17:19:00.877985954 CET	80	49724	217.20.57.41	192.168.2.4
Feb 23, 2025 17:19:24.572885990 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:19:24.572920084 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:19:35.050139904 CET	56452	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:19:35.055993080 CET	53	56452	1.1.1.1	192.168.2.4
Feb 23, 2025 17:19:35.056093931 CET	56452	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:19:35.061945915 CET	53	56452	1.1.1.1	192.168.2.4
Feb 23, 2025 17:19:35.538321972 CET	56452	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:19:35.543601036 CET	53	56452	1.1.1.1	192.168.2.4
Feb 23, 2025 17:19:35.543678045 CET	56452	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:19:36.777477980 CET	56465	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:19:36.777494907 CET	443	56465	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:36.777561903 CET	56465	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:19:36.777854919 CET	56465	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:19:36.777865887 CET	443	56465	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:37.452018023 CET	443	56465	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:37.452368975 CET	56465	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:19:37.452378988 CET	443	56465	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:37.452815056 CET	443	56465	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:37.453236103 CET	56465	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:19:37.453308105 CET	443	56465	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:37.494645119 CET	56465	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:19:39.625516891 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:19:39.625711918 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:19:39.625782967 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:19:39.684492111 CET	49741	443	192.168.2.4	3.33.150.176
Feb 23, 2025 17:19:39.684545040 CET	443	49741	3.33.150.176	192.168.2.4
Feb 23, 2025 17:19:47.361289978 CET	443	56465	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:47.361454964 CET	443	56465	142.250.181.228	192.168.2.4
Feb 23, 2025 17:19:47.361535072 CET	56465	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:19:47.683835030 CET	56465	443	192.168.2.4	142.250.181.228
Feb 23, 2025 17:19:47.683866024 CET	443	56465	142.250.181.228	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2025 17:18:33.221791983 CET	53	54621	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:33.328574896 CET	53	62710	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:34.569653988 CET	53	55988	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:36.714948893 CET	57754	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:18:36.715090036 CET	54768	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:18:36.722261906 CET	53	54768	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:36.722429991 CET	53	57754	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:38.987379074 CET	59853	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:18:38.987591982 CET	55598	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:18:39.009898901 CET	53	59853	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:39.023607969 CET	53	55598	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:39.662353039 CET	60928	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:18:39.663889885 CET	62895	53	192.168.2.4	1.1.1.1
Feb 23, 2025 17:18:39.672468901 CET	53	60928	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:39.676220894 CET	53	62895	1.1.1.1	192.168.2.4
Feb 23, 2025 17:18:47.136306047 CET	138	138	192.168.2.4	192.168.2.255
Feb 23, 2025 17:18:51.597435951 CET	53	50702	1.1.1.1	192.168.2.4
Feb 23, 2025 17:19:10.395476103 CET	53	58700	1.1.1.1	192.168.2.4
Feb 23, 2025 17:19:32.912622929 CET	53	63044	1.1.1.1	192.168.2.4
Feb 23, 2025 17:19:32.929748058 CET	53	63132	1.1.1.1	192.168.2.4
Feb 23, 2025 17:19:35.049567938 CET	53	57311	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 23, 2025 17:18:39.023689032 CET	192.168.2.4	1.1.1.1	c22d	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 23, 2025 17:18:36.714948893 CET	192.168.2.4	1.1.1.1	0x5ba	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 23, 2025 17:18:36.715090036 CET	192.168.2.4	1.1.1.1	0xc019	Standard query (0)	www.google.com	65	IN (0x0001)	false
Feb 23, 2025 17:18:38.987379074 CET	192.168.2.4	1.1.1.1	0x6327	Standard query (0)	sa1.io	A (IP address)	IN (0x0001)	false
Feb 23, 2025 17:18:38.987591982 CET	192.168.2.4	1.1.1.1	0x9299	Standard query (0)	sa1.io	65	IN (0x0001)	false
Feb 23, 2025 17:18:39.662353039 CET	192.168.2.4	1.1.1.1	0x5070	Standard query (0)	awelassekinsupp.onthewifi.com	A (IP address)	IN (0x0001)	false
Feb 23, 2025 17:18:39.663889885 CET	192.168.2.4	1.1.1.1	0x948a	Standard query (0)	awelassekinsupp.onthewifi.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 23, 2025 17:18:36.722261906 CET	1.1.1.1	192.168.2.4	0xc019	No error (0)	www.google.com		65	IN (0x0001)	false
Feb 23, 2025 17:18:36.722429991 CET	1.1.1.1	192.168.2.4	0x5ba	No error (0)	www.google.com	142.250.181.228	A (IP address)	IN (0x0001)	false
Feb 23, 2025 17:18:39.009898901 CET	1.1.1.1	192.168.2.4	0x6327	No error (0)	sa1.io	3.33.150.176	A (IP address)	IN (0x0001)	false
Feb 23, 2025 17:18:39.009898901 CET	1.1.1.1	192.168.2.4	0x6327	No error (0)	sa1.io	15.197.129.14	A (IP address)	IN (0x0001)	false
Feb 23, 2025 17:18:39.672468901 CET	1.1.1.1	192.168.2.4	0x5070	No error (0)	awelassekinsupp.onthewifi.com	209.38.22.32	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sa1.io

awelassekinsupp.onthewifi.com

https:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	3.33.150.176	443	1544	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-23 16:18:39 UTC	653	OUT	GET /zGQ3 HTTP/1.1 Host: sa1.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-02-23 16:18:39 UTC	809	IN	HTTP/1.1 302 Found Access-Control-Allow-Origin: * Alt-Svc: h3=":8443"; ma=2592000 Content-Length: 0 Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Date: Sun, 23 Feb 2025 16:18:39 GMT Expect-Ct: max-age=0 Location: https://awelassekinsupp.onthewifi.com/nl Referrer-Policy: no-referrer Server: Caddy Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Xss-Protection: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	209.38.22.32	443	1544	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-23 16:18:40 UTC	674	OUT	GET /nl HTTP/1.1 Host: awelassekinsupp.onthewifi.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-02-23 16:18:41 UTC	248	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 23 Feb 2025 16:18:40 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 329 Connection: close Location: https://awelassekinsupp.onthewifi.com/nl/ X-Powered-By: PleskLin
2025-02-23 16:18:41 UTC	329	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 77 65 6c 61 73 73 65 6b 69 6e 73 75 70 70 2e 6f 6e 74 68 65 77 69 66 69 2e 63 6f 6d 2f 6e 6c 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://awelassekinsupp.onthewifi.com/nl/">here</a>.</p><hr><address>Apache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49745	209.38.22.32	443	1544	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-23 16:18:41 UTC	675	OUT	GET /nl/ HTTP/1.1 Host: awelassekinsupp.onthewifi.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-02-23 16:18:43 UTC	352	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 23 Feb 2025 16:18:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 150 Connection: close X-Powered-By: PHP/8.3.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=dk2f2gmcuom9uat1jrbqhj43v9; path=/
2025-02-23 16:18:43 UTC	150	IN	Data Raw: ef bb bf 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 34 30 34 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 61 72 65 20 63 6f 6e 6e 65 63 74 65 64 20 66 72 6f 6d 20 61 20 72 65 6d 6f 74 65 20 6c 6f 63 61 74 69 6f 6e 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Not Found 404</title></head><body><h1>Not Found 404</h1><p>You are connected from a remote location.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49746	209.38.22.32	443	1544	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-23 16:18:44 UTC	663	OUT	GET /favicon.ico HTTP/1.1 Host: awelassekinsupp.onthewifi.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://awelassekinsupp.onthewifi.com/nl/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=dk2f2gmcuom9uat1jrbqhj43v9
2025-02-23 16:18:44 UTC	238	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 23 Feb 2025 16:18:44 GMT Content-Type: text/html Content-Length: 808 Connection: close Last-Modified: Sun, 09 Feb 2025 22:08:48 GMT ETag: "328-62dbcd6098dac" Accept-Ranges: bytes
2025-02-23 16:18:44 UTC	808	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="s

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 2496, Parent PID: 2080

Function Logs

General

Target ID:	0
Start time:	11:18:26
Start date:	23/02/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 1544, Parent PID: 2496

Function Logs

General

Target ID:	2
Start time:	11:18:32
Start date:	23/02/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2296,i,14037343437910746094,12242113236119137060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6552, Parent PID: 2080

Function Logs

General

Target ID:	3
Start time:	11:18:38
Start date:	23/02/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sa1.io/zGQ3"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://sa1.io/zGQ3

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2496_773074905\sets.json

Chrome Cache Entry: 49

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 2496, Parent PID: 2080

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Windows Analysis Report
https://sa1.io/zGQ3