Edit tour

Windows Analysis Report
http://xml-v4.srvqck9.com

Overview

General Information

Sample URL:	http://xml-v4.srvqck9.com
Analysis ID:	1646847
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Creates files inside the system directory

Deletes files inside the Windows folder

Detected suspicious crossdomain redirect

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3772 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 2548 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2056,i,1636166008410916481,985019589278040204,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6904 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://xml-v4.srvqck9.com" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Phishing
• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://popunder.bid/favicon.ico

Avira URL Cloud: Label: malware

Source: https://popunder.bid/

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 142.251.40.228:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.134.116.19:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.167.252.76:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: xml-v4.srvqck9.com to http://popunder.bid/

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: xml-v4.srvqck9.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: popunder.bidConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/3.1.0/css/bootstrap.min.css HTTP/1.1Host: netdna.bootstrapcdn.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleSec-Fetch-Storage-Access: activeReferer: https://popunder.bid/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: popunder.bidConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://popunder.bid/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: xml-v4.srvqck9.com
Source: global traffic	DNS traffic detected: DNS query: popunder.bid
Source: global traffic	DNS traffic detected: DNS query: netdna.bootstrapcdn.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Mar 2025 09:09:20 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1

Source: chromecache_53.2.dr	String found in binary or memory: http://getbootstrap.com)
Source: chromecache_53.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 142.251.40.228:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.134.116.19:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.167.252.76:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir3772_1237653789

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir3772_1237653789

Jump to behavior

Source: classification engine

Classification label: mal48.win@22/6@10/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2056,i,1636166008410916481,985019589278040204,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://xml-v4.srvqck9.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2056,i,1636166008410916481,985019589278040204,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://xml-v4.srvqck9.com	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://xml-v4.srvqck9.com/	0%	Avira URL Cloud	safe
https://popunder.bid/favicon.ico	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
netdna.bootstrapcdn.com	104.18.11.207	true	false	high
popunder.bid	72.167.252.76	true	false	unknown
adright.xml-v4.ak-is2.net	198.134.116.19	true	false	high
www.google.com	142.251.40.228	true	false	high
xml-v4.srvqck9.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://xml-v4.srvqck9.com/	false	Avira URL Cloud: safe	unknown
https://netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css	false		high
https://popunder.bid/favicon.ico	false	Avira URL Cloud: malware	unknown
https://popunder.bid/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/twbs/bootstrap/blob/master/LICENSE)	chromecache_53.2.dr	false		high
http://getbootstrap.com)	chromecache_53.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.40.228	www.google.com	United States	15169	GOOGLEUS	false
72.167.252.76	popunder.bid	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
198.134.116.19	adright.xml-v4.ak-is2.net	United States	27257	WEBAIR-INTERNETUS	false
104.18.11.207	netdna.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1646847
Start date and time:	2025-03-24 10:08:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://xml-v4.srvqck9.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@22/6@10/5

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.40.142, 142.251.40.227, 142.251.167.84, 142.250.72.110, 142.251.41.3, 142.251.32.110, 142.251.40.206, 142.250.81.238, 23.203.176.221, 199.232.214.172, 142.250.80.78, 142.251.35.174, 142.251.40.110, 142.250.72.99, 142.250.176.206, 142.251.41.14, 142.251.40.195, 23.204.23.20, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://xml-v4.srvqck9.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 51

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	824
Entropy (8bit):	5.138388483109872
Encrypted:	false
SSDEEP:	12:qTpNVy7KSELAYiMbsQdyecbKUdHf7F7PArA+0Lcju4WH9QlV3mYvQb:0pNVC202sIyGl0LOuT9QP3xm
MD5:	7DCCA03DC78E47E88A5ED7C5AA99B7CC
SHA1:	3C9624D956F9F61648560E45AC37ABD2C7B01749
SHA-256:	E174B1C1BA782F11BC8C90B7F1EDE589EF76CF108064EA91BE54F1FC3A1B4F53
SHA-512:	3BD63A966A943ABCDF9714EFEE000A9E36702D79DFA7AA9B1CC47125029AF4F94398F8AE90C3A0988CA6670AF034F9D110EF8DEE4FD43FE0C9B11403F2609680
Malicious:	false
Reputation:	low
URL:	https://popunder.bid/
Preview:	<!doctype html>.<html>.<head>.<title>popunder.bid</title>.<meta name="viewport" content="width=device-width, initial-scale=1.0">.<link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">.</head>.<style>.body {..background-color:#ffffff;..margin:0;..padding:10px;.}..main {..background-position: center;..background-repeat: no-repeat;..background-size: contain;..min-height:200px;.}..content p {..text-align:center;..font-family: open sans;..font-size:16px;..line-height:28px;.}.</style>.<body>..<div class="main"></div>..<div class="content">...<p>Hey there! This url is used for ad serving. If you have any<br> questions, would like to monetize your traffic or run an ad campaign please<br><a href="mailto:info@popunder.bid">CONTACT US</a></p>..</div>.</body>.</html>

Chrome Cache Entry: 52

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	315
Entropy (8bit):	5.0572271090563765
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
MD5:	A34AC19F4AFAE63ADC5D2F7BC970C07F
SHA1:	A82190FC530C265AA40A045C21770D967F4767B8
SHA-256:	D5A89E26BEAE0BC03AD18A0B0D1D3D75F87C32047879D25DA11970CB5C4662A3
SHA-512:	42E53D96E5961E95B7A984D9C9778A1D3BD8EE0C87B8B3B515FA31F67C2D073C8565AFC2F4B962C43668C4EFA1E478DA9BB0ECFFA79479C7E880731BC4C55765
Malicious:	false
Reputation:	low
URL:	https://popunder.bid/favicon.ico
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>.

Chrome Cache Entry: 53

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65366)
Category:	downloaded
Size (bytes):	101595
Entropy (8bit):	5.114764853341008
Encrypted:	false
SSDEEP:	768:CbB4YDHYZJwnYJ82GxwmsBW/kzarbZbO6xNCMBm0Cp89ifTXtQJar:uIknYJ8jwU/k+U60f89aXv
MD5:	937876BACFEFA6AD4B64756B3834D94C
SHA1:	6BFE09A746F64D12EC484D17767A7FD011BF5FB3
SHA-256:	11C74AED50911D54C04455FE1D9C04F42C5F6CF438A94976F890F25F2A59F699
SHA-512:	79C60B0468798903CA91D0628E9FAD547324151D8DD977DBB04F37FFD9C533FAB048BB2300F19197BCFE8E90168F9127C36B38352FBD8476FF57184FD425188D
Malicious:	false
Reputation:	low
URL:	https://netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css
Preview:	/!. Bootstrap v3.1.0 (http://getbootstrap.com). * Copyright 2011-2014 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). /../! normalize.css v3.0.0 \| MIT License \| git.io/normalize */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{font-size:2em;margin:.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-moz-box-sizing:content-box;box-

Static File Info

⊘No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 150
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2025 10:09:12.192652941 CET	49671	443	192.168.2.4	204.79.197.203
Mar 24, 2025 10:09:12.601185083 CET	49671	443	192.168.2.4	204.79.197.203
Mar 24, 2025 10:09:13.224426985 CET	49671	443	192.168.2.4	204.79.197.203
Mar 24, 2025 10:09:14.427813053 CET	49671	443	192.168.2.4	204.79.197.203
Mar 24, 2025 10:09:14.858645916 CET	49720	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:09:14.858696938 CET	443	49720	142.251.40.228	192.168.2.4
Mar 24, 2025 10:09:14.858753920 CET	49720	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:09:14.858952045 CET	49720	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:09:14.858963013 CET	443	49720	142.251.40.228	192.168.2.4
Mar 24, 2025 10:09:15.058933973 CET	443	49720	142.251.40.228	192.168.2.4
Mar 24, 2025 10:09:15.059016943 CET	49720	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:09:15.060801029 CET	49720	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:09:15.060823917 CET	443	49720	142.251.40.228	192.168.2.4
Mar 24, 2025 10:09:15.061146021 CET	443	49720	142.251.40.228	192.168.2.4
Mar 24, 2025 10:09:15.115309000 CET	49720	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:09:16.833842993 CET	49671	443	192.168.2.4	204.79.197.203
Mar 24, 2025 10:09:17.737143993 CET	49724	80	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:17.737498999 CET	49725	80	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:17.757602930 CET	49726	443	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:17.757635117 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:17.757843018 CET	49726	443	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:17.757966042 CET	49726	443	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:17.757975101 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:17.829998016 CET	80	49724	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:17.830089092 CET	49724	80	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:17.830935001 CET	80	49725	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:17.831041098 CET	49725	80	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:18.061069965 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:18.061165094 CET	49726	443	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:18.062333107 CET	49726	443	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:18.062344074 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:18.062695980 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:18.063062906 CET	49726	443	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:18.108335018 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:18.160799980 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:18.160887003 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:18.161118031 CET	49726	443	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:18.163127899 CET	49726	443	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:18.163141012 CET	443	49726	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:18.275878906 CET	49727	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:18.275928020 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:18.276024103 CET	49727	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:18.276177883 CET	49727	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:18.276190996 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:18.760760069 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:18.760864019 CET	49727	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:18.888335943 CET	49727	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:18.888365030 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:18.888710976 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:18.895047903 CET	49727	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:18.936330080 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:19.059564114 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:19.059735060 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:19.059824944 CET	49727	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:19.111838102 CET	49727	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:19.111905098 CET	443	49727	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:19.248152971 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.248240948 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.248343945 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.248476982 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.248508930 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.459104061 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.459192038 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.460335016 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.460352898 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.460604906 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.460841894 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.508363962 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704540014 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704606056 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704642057 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704669952 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.704679012 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704703093 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704722881 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.704740047 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704770088 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704780102 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.704786062 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704845905 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.704850912 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704916954 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.704962969 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.704968929 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.705077887 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.705128908 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.705133915 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.705374956 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.705404997 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.705437899 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.705451012 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.705486059 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.705497980 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.705502033 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.705563068 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.705916882 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.706041098 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.706074953 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.706087112 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.706093073 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.706140995 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.706146002 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.707916021 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.707948923 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.707973957 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.707982063 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.708023071 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.708045006 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.708050013 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709002018 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.709007025 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709083080 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709127903 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.709134102 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709213972 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709245920 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709259033 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.709264040 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709304094 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.709886074 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709954023 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.709985971 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.710000038 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.710006952 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.710047960 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.710067034 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.710071087 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.710103989 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.710117102 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.710122108 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.710146904 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.710182905 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.710187912 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.710230112 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.756565094 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.804317951 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.804408073 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.804420948 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.804471016 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.804528952 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.804585934 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.805107117 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.805175066 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.805177927 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.805190086 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.805233002 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.806200981 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.806240082 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.806266069 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.806276083 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.806303978 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.807820082 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.807895899 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.807902098 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.807951927 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.808244944 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.808300018 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.808332920 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.808382988 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.808620930 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.808679104 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.808685064 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.808732033 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.808738947 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.808751106 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.808820963 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.809819937 CET	49728	443	192.168.2.4	104.18.11.207
Mar 24, 2025 10:09:19.809834003 CET	443	49728	104.18.11.207	192.168.2.4
Mar 24, 2025 10:09:19.846612930 CET	49732	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:19.846657038 CET	443	49732	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:19.846726894 CET	49732	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:19.846939087 CET	49732	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:19.846951008 CET	443	49732	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:20.166091919 CET	443	49732	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:20.166433096 CET	49732	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:20.166455030 CET	443	49732	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:20.166603088 CET	49732	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:20.166608095 CET	443	49732	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:20.528058052 CET	443	49732	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:20.528142929 CET	443	49732	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:20.528192997 CET	49732	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:20.530044079 CET	49732	443	192.168.2.4	72.167.252.76
Mar 24, 2025 10:09:20.530076981 CET	443	49732	72.167.252.76	192.168.2.4
Mar 24, 2025 10:09:20.849473000 CET	49678	443	192.168.2.4	20.189.173.27
Mar 24, 2025 10:09:21.161523104 CET	49678	443	192.168.2.4	20.189.173.27
Mar 24, 2025 10:09:21.646986961 CET	49671	443	192.168.2.4	204.79.197.203
Mar 24, 2025 10:09:21.770905972 CET	49678	443	192.168.2.4	20.189.173.27
Mar 24, 2025 10:09:22.974009991 CET	49678	443	192.168.2.4	20.189.173.27
Mar 24, 2025 10:09:24.132021904 CET	49681	80	192.168.2.4	2.17.190.73
Mar 24, 2025 10:09:24.428957939 CET	49681	80	192.168.2.4	2.17.190.73
Mar 24, 2025 10:09:24.437509060 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.439044952 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.439308882 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.540098906 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.541086912 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.541187048 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.541245937 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.541301012 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.541342974 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.541501045 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.541564941 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.541778088 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.544104099 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.544151068 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.544171095 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.544188976 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.551973104 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.644349098 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.653857946 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.656714916 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.656771898 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.656821012 CET	443	49709	131.253.33.254	192.168.2.4
Mar 24, 2025 10:09:24.656858921 CET	49709	443	192.168.2.4	131.253.33.254
Mar 24, 2025 10:09:24.659619093 CET	49680	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:24.660171032 CET	49735	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:24.660222054 CET	443	49735	204.79.197.222	192.168.2.4
Mar 24, 2025 10:09:24.660296917 CET	49735	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:24.660556078 CET	49735	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:24.660572052 CET	443	49735	204.79.197.222	192.168.2.4
Mar 24, 2025 10:09:24.879287004 CET	49736	80	192.168.2.4	142.250.80.99
Mar 24, 2025 10:09:24.961707115 CET	443	49735	204.79.197.222	192.168.2.4
Mar 24, 2025 10:09:24.961786985 CET	49735	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:24.973968983 CET	80	49736	142.250.80.99	192.168.2.4
Mar 24, 2025 10:09:24.974073887 CET	49736	80	192.168.2.4	142.250.80.99
Mar 24, 2025 10:09:24.974109888 CET	49680	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:24.974890947 CET	49736	80	192.168.2.4	142.250.80.99
Mar 24, 2025 10:09:25.036420107 CET	49681	80	192.168.2.4	2.17.190.73
Mar 24, 2025 10:09:25.070394039 CET	80	49736	142.250.80.99	192.168.2.4
Mar 24, 2025 10:09:25.070893049 CET	80	49736	142.250.80.99	192.168.2.4
Mar 24, 2025 10:09:25.076512098 CET	49736	80	192.168.2.4	142.250.80.99
Mar 24, 2025 10:09:25.094347000 CET	443	49720	142.251.40.228	192.168.2.4
Mar 24, 2025 10:09:25.094485998 CET	443	49720	142.251.40.228	192.168.2.4
Mar 24, 2025 10:09:25.094542980 CET	49720	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:09:25.173583031 CET	80	49736	142.250.80.99	192.168.2.4
Mar 24, 2025 10:09:25.223844051 CET	49736	80	192.168.2.4	142.250.80.99
Mar 24, 2025 10:09:25.380254984 CET	49678	443	192.168.2.4	20.189.173.27
Mar 24, 2025 10:09:25.583882093 CET	49680	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:26.241002083 CET	49681	80	192.168.2.4	2.17.190.73
Mar 24, 2025 10:09:26.671399117 CET	49720	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:09:26.671426058 CET	443	49720	142.251.40.228	192.168.2.4
Mar 24, 2025 10:09:26.803538084 CET	49680	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:28.019942045 CET	80	49724	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:28.020020008 CET	49724	80	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:28.082287073 CET	80	49725	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:28.082374096 CET	49725	80	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:28.646719933 CET	49681	80	192.168.2.4	2.17.190.73
Mar 24, 2025 10:09:28.648924112 CET	49724	80	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:28.649096966 CET	49725	80	192.168.2.4	198.134.116.19
Mar 24, 2025 10:09:28.744750023 CET	80	49724	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:28.745475054 CET	80	49725	198.134.116.19	192.168.2.4
Mar 24, 2025 10:09:29.209108114 CET	49680	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:30.193542004 CET	49678	443	192.168.2.4	20.189.173.27
Mar 24, 2025 10:09:31.255379915 CET	49671	443	192.168.2.4	204.79.197.203
Mar 24, 2025 10:09:33.458549023 CET	49681	80	192.168.2.4	2.17.190.73
Mar 24, 2025 10:09:34.021049023 CET	49680	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:09:39.807356119 CET	49678	443	192.168.2.4	20.189.173.27
Mar 24, 2025 10:09:43.084228992 CET	49681	80	192.168.2.4	2.17.190.73
Mar 24, 2025 10:09:43.631046057 CET	49680	443	192.168.2.4	204.79.197.222
Mar 24, 2025 10:10:14.819983006 CET	49743	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:10:14.820027113 CET	443	49743	142.251.40.228	192.168.2.4
Mar 24, 2025 10:10:14.820091963 CET	49743	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:10:14.820476055 CET	49743	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:10:14.820488930 CET	443	49743	142.251.40.228	192.168.2.4
Mar 24, 2025 10:10:15.025820971 CET	443	49743	142.251.40.228	192.168.2.4
Mar 24, 2025 10:10:15.026268959 CET	49743	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:10:15.026299000 CET	443	49743	142.251.40.228	192.168.2.4
Mar 24, 2025 10:10:25.040461063 CET	443	49743	142.251.40.228	192.168.2.4
Mar 24, 2025 10:10:25.040555954 CET	443	49743	142.251.40.228	192.168.2.4
Mar 24, 2025 10:10:25.040637016 CET	49743	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:10:25.474679947 CET	49736	80	192.168.2.4	142.250.80.99
Mar 24, 2025 10:10:25.572247028 CET	80	49736	142.250.80.99	192.168.2.4
Mar 24, 2025 10:10:25.572348118 CET	49736	80	192.168.2.4	142.250.80.99
Mar 24, 2025 10:10:26.648518085 CET	49743	443	192.168.2.4	142.251.40.228
Mar 24, 2025 10:10:26.648612976 CET	443	49743	142.251.40.228	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2025 10:09:13.030369043 CET	53	51031	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:13.033025026 CET	53	60645	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:13.583590984 CET	53	50435	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:13.760891914 CET	53	52678	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:14.757764101 CET	60201	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:14.758867025 CET	52493	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:14.856781960 CET	53	60201	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:14.857768059 CET	53	52493	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:17.629882097 CET	53340	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:17.630120993 CET	61798	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:17.649141073 CET	62661	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:17.649343014 CET	63479	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:17.732986927 CET	53	53340	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:17.735876083 CET	53	61798	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:17.751898050 CET	53	62661	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:17.756925106 CET	53	63479	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:18.165925026 CET	62520	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:18.166230917 CET	50980	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:18.273442984 CET	53	50980	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:18.275177002 CET	53	62520	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:19.140887976 CET	50523	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:19.141036034 CET	56329	53	192.168.2.4	1.1.1.1
Mar 24, 2025 10:09:19.241647959 CET	53	56329	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:19.242770910 CET	53	50523	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:30.821953058 CET	53	53029	1.1.1.1	192.168.2.4
Mar 24, 2025 10:09:49.691842079 CET	53	53289	1.1.1.1	192.168.2.4
Mar 24, 2025 10:10:12.110114098 CET	53	56932	1.1.1.1	192.168.2.4
Mar 24, 2025 10:10:12.422826052 CET	53	59142	1.1.1.1	192.168.2.4
Mar 24, 2025 10:10:16.501420021 CET	53	53836	1.1.1.1	192.168.2.4
Mar 24, 2025 10:10:20.402244091 CET	138	138	192.168.2.4	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 24, 2025 10:09:14.757764101 CET	192.168.2.4	1.1.1.1	0xd633	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:14.758867025 CET	192.168.2.4	1.1.1.1	0x7f8a	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 24, 2025 10:09:17.629882097 CET	192.168.2.4	1.1.1.1	0x28a5	Standard query (0)	xml-v4.srvqck9.com	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:17.630120993 CET	192.168.2.4	1.1.1.1	0x5e40	Standard query (0)	xml-v4.srvqck9.com	65	IN (0x0001)	false
Mar 24, 2025 10:09:17.649141073 CET	192.168.2.4	1.1.1.1	0x8f6d	Standard query (0)	xml-v4.srvqck9.com	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:17.649343014 CET	192.168.2.4	1.1.1.1	0xec0e	Standard query (0)	xml-v4.srvqck9.com	65	IN (0x0001)	false
Mar 24, 2025 10:09:18.165925026 CET	192.168.2.4	1.1.1.1	0x199d	Standard query (0)	popunder.bid	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:18.166230917 CET	192.168.2.4	1.1.1.1	0x708e	Standard query (0)	popunder.bid	65	IN (0x0001)	false
Mar 24, 2025 10:09:19.140887976 CET	192.168.2.4	1.1.1.1	0x8dff	Standard query (0)	netdna.bootstrapcdn.com	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:19.141036034 CET	192.168.2.4	1.1.1.1	0x28b6	Standard query (0)	netdna.bootstrapcdn.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 24, 2025 10:09:14.856781960 CET	1.1.1.1	192.168.2.4	0xd633	No error (0)	www.google.com		142.251.40.228	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:14.857768059 CET	1.1.1.1	192.168.2.4	0x7f8a	No error (0)	www.google.com			65	IN (0x0001)	false
Mar 24, 2025 10:09:17.732986927 CET	1.1.1.1	192.168.2.4	0x28a5	No error (0)	xml-v4.srvqck9.com	adright.xml-v4.ak-is2.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 24, 2025 10:09:17.732986927 CET	1.1.1.1	192.168.2.4	0x28a5	No error (0)	adright.xml-v4.ak-is2.net		198.134.116.19	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:17.735876083 CET	1.1.1.1	192.168.2.4	0x5e40	No error (0)	xml-v4.srvqck9.com	adright.xml-v4.ak-is2.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 24, 2025 10:09:17.751898050 CET	1.1.1.1	192.168.2.4	0x8f6d	No error (0)	xml-v4.srvqck9.com	adright.xml-v4.ak-is2.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 24, 2025 10:09:17.751898050 CET	1.1.1.1	192.168.2.4	0x8f6d	No error (0)	adright.xml-v4.ak-is2.net		198.134.116.19	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:17.756925106 CET	1.1.1.1	192.168.2.4	0xec0e	No error (0)	xml-v4.srvqck9.com	adright.xml-v4.ak-is2.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 24, 2025 10:09:18.275177002 CET	1.1.1.1	192.168.2.4	0x199d	No error (0)	popunder.bid		72.167.252.76	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:19.241647959 CET	1.1.1.1	192.168.2.4	0x28b6	No error (0)	netdna.bootstrapcdn.com			65	IN (0x0001)	false
Mar 24, 2025 10:09:19.242770910 CET	1.1.1.1	192.168.2.4	0x8dff	No error (0)	netdna.bootstrapcdn.com		104.18.11.207	A (IP address)	IN (0x0001)	false
Mar 24, 2025 10:09:19.242770910 CET	1.1.1.1	192.168.2.4	0x8dff	No error (0)	netdna.bootstrapcdn.com		104.18.10.207	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xml-v4.srvqck9.com

popunder.bid

netdna.bootstrapcdn.com

c.pki.goog

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49736	142.250.80.99	80

Timestamp	Bytes transferred	Direction	Data
Mar 24, 2025 10:09:24.974890947 CET	202	OUT	GET /r/gsr1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 24, 2025 10:09:25.070893049 CET	223	IN	HTTP/1.1 304 Not Modified Date: Mon, 24 Mar 2025 08:33:27 GMT Expires: Mon, 24 Mar 2025 09:23:27 GMT Age: 2158 Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding
Mar 24, 2025 10:09:25.076512098 CET	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 24, 2025 10:09:25.173583031 CET	223	IN	HTTP/1.1 304 Not Modified Date: Mon, 24 Mar 2025 08:33:30 GMT Expires: Mon, 24 Mar 2025 09:23:30 GMT Age: 2155 Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49726	198.134.116.19	443	2548	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-24 09:09:18 UTC	668	OUT	GET / HTTP/1.1 Host: xml-v4.srvqck9.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-24 09:09:18 UTC	169	IN	HTTP/1.1 302 Found Server: nginx Date: Mon, 24 Mar 2025 09:09:18 GMT Content-Length: 0 Connection: close Cache-Control: no-store Location: http://popunder.bid/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49727	72.167.252.76	443	2548	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-24 09:09:18 UTC	662	OUT	GET / HTTP/1.1 Host: popunder.bid Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-24 09:09:19 UTC	289	IN	HTTP/1.1 200 OK Date: Mon, 24 Mar 2025 09:09:18 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 29 Jun 2022 07:38:52 GMT ETag: "3f00ab0-338-5e2913e9a7b00" Accept-Ranges: bytes Content-Length: 824 Vary: Accept-Encoding Content-Type: text/html
2025-03-24 09:09:19 UTC	824	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 70 6f 70 75 6e 64 65 72 2e 62 69 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 6e 65 74 64 6e 61 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f 6f 74 73 74 72 61 70 2f 33 2e 31 2e 30 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 62 6f 6f 74 73 74 72 61 70 2d 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 73 74 79 Data Ascii: <!doctype html><html><head><title>popunder.bid</title><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css"></head><sty

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49728	104.18.11.207	443	2548	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-24 09:09:19 UTC	611	OUT	GET /bootstrap/3.1.0/css/bootstrap.min.css HTTP/1.1 Host: netdna.bootstrapcdn.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Sec-Fetch-Storage-Access: active Referer: https://popunder.bid/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-24 09:09:19 UTC	952	IN	HTTP/1.1 200 OK Date: Mon, 24 Mar 2025 09:09:19 GMT Content-Type: text/css; charset=utf-8 Transfer-Encoding: chunked Connection: close CDN-PullZone: 252412 CDN-Uid: b1941f61-b576-4f40-80de-5677acb38f74 CDN-RequestCountryCode: US Vary: Accept-Encoding Access-Control-Allow-Origin: * Cache-Control: public, max-age=31919000 ETag: W/"937876bacfefa6ad4b64756b3834d94c" Last-Modified: Mon, 25 Jan 2021 22:03:56 GMT CDN-ProxyVer: 1.06 CDN-RequestPullSuccess: True CDN-RequestPullCode: 200 CDN-CachedAt: 12/16/2024 22:47:45 CDN-EdgeStorageId: 1029 timing-allow-origin: * cross-origin-resource-policy: cross-origin X-Content-Type-Options: nosniff CDN-Status: 200 CDN-RequestTime: 0 CDN-RequestId: 0dd60180494f62c422730fdfe69051e7 CDN-Cache: HIT CF-Cache-Status: HIT Age: 258115 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 9255076db9c2f799-EWR alt-svc: h3=":443"; ma=86400
2025-03-24 09:09:19 UTC	417	IN	Data Raw: 37 62 66 61 0d 0a 2f 2a 21 0a 20 2a 20 42 6f 6f 74 73 74 72 61 70 20 76 33 2e 31 2e 30 20 28 68 74 74 70 3a 2f 2f 67 65 74 62 6f 6f 74 73 74 72 61 70 2e 63 6f 6d 29 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 32 30 31 31 2d 32 30 31 34 20 54 77 69 74 74 65 72 2c 20 49 6e 63 2e 0a 20 2a 20 4c 69 63 65 6e 73 65 64 20 75 6e 64 65 72 20 4d 49 54 20 28 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 74 77 62 73 2f 62 6f 6f 74 73 74 72 61 70 2f 62 6c 6f 62 2f 6d 61 73 74 65 72 2f 4c 49 43 45 4e 53 45 29 0a 20 2a 2f 0a 0a 2f 2a 21 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 76 33 2e 30 2e 30 20 7c 20 4d 49 54 20 4c 69 63 65 6e 73 65 20 7c 20 67 69 74 2e 69 6f 2f 6e 6f 72 6d 61 6c 69 7a 65 20 2a 2f 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 Data Ascii: 7bfa/! Bootstrap v3.1.0 (http://getbootstrap.com) * Copyright 2011-2014 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) //! normalize.css v3.0.0 \| MIT License \| git.io/normalize */html{font-family:sa
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 72 79 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 61 75 64 69 6f 2c 63 61 6e 76 61 73 2c 70 72 6f 67 72 65 73 73 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 5b 68 69 64 64 65 6e 5d 2c 74 65 6d 70 6c 61 74 65 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 61 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 30 20 30 7d 61 3a 61 63 74 69 76 65 2c 61 3a 68 6f 76 65 72 7b 6f 75 74 6c 69 6e 65 3a 30 7d 61 62 62 72 5b 74 69 74 6c 65 5d 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 64 6f 74 74 65 64 7d 62 2c 73 74 72 6f 6e 67 7b Data Ascii: ry{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 7d 69 6e 70 75 74 5b 74 79 70 65 3d 73 65 61 72 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 63 61 6e 63 65 6c 2d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 5b 74 79 70 65 3d 73 65 61 72 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 66 69 65 6c 64 73 65 74 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 73 69 6c 76 65 72 3b 6d 61 72 67 69 6e 3a 30 20 32 70 78 3b 70 61 64 64 69 6e 67 3a 2e 33 35 65 6d 20 2e 36 32 35 65 6d 20 2e 37 35 65 6d 7d 6c 65 67 65 6e 64 7b 62 6f 72 64 65 72 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 74 65 78 74 61 72 65 61 7b 6f 76 65 72 66 6c Data Ascii: ox-sizing:content-box}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}legend{border:0;padding:0}textarea{overfl
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 7a 65 3a 36 32 2e 35 25 3b 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 7d 62 6f 64 79 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 35 37 31 34 32 39 3b 63 6f 6c 6f 72 3a 23 33 33 33 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 7d 69 6e 70 75 74 2c 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 68 65 72 69 74 3b 6c 69 6e 65 Data Ascii: ze:62.5%;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.428571429;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 2e 68 36 20 2e 73 6d 61 6c 6c 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 63 6f 6c 6f 72 3a 23 39 39 39 7d 68 31 2c 2e 68 31 2c 68 32 2c 2e 68 32 2c 68 33 2c 2e 68 33 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 7d 68 31 20 73 6d 61 6c 6c 2c 2e 68 31 20 73 6d 61 6c 6c 2c 68 32 20 73 6d 61 6c 6c 2c 2e 68 32 20 73 6d 61 6c 6c 2c 68 33 20 73 6d 61 6c 6c 2c 2e 68 33 20 73 6d 61 6c 6c 2c 68 31 20 2e 73 6d 61 6c 6c 2c 2e 68 31 20 2e 73 6d 61 6c 6c 2c 68 32 20 2e 73 6d 61 6c 6c 2c 2e 68 32 20 2e 73 6d 61 6c 6c 2c 68 33 20 2e 73 6d 61 6c 6c 2c 2e 68 33 20 2e 73 6d 61 6c 6c 7b 66 6f 6e 74 2d 73 69 7a 65 3a 36 35 25 7d 68 34 2c 2e 68 34 2c 68 35 2c 2e 68 35 Data Ascii: .h6 .small{font-weight:400;line-height:1;color:#999}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 65 32 62 33 7d 2e 62 67 2d 69 6e 66 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 64 39 65 64 66 37 7d 61 2e 62 67 2d 69 6e 66 6f 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 61 66 64 39 65 65 7d 2e 62 67 2d 77 61 72 6e 69 6e 67 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 63 66 38 65 33 7d 61 2e 62 67 2d 77 61 72 6e 69 6e 67 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 37 65 63 62 35 7d 2e 62 67 2d 64 61 6e 67 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 32 64 65 64 65 7d 61 2e 62 67 2d 64 61 6e 67 65 72 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 34 62 39 62 39 7d 2e 70 61 67 65 2d 68 65 61 64 65 72 7b 70 61 Data Ascii: e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{pa
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 6c 6f 63 6b 71 75 6f 74 65 20 2e 73 6d 61 6c 6c 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 27 5c 32 30 31 34 20 5c 30 30 41 30 27 7d 2e 62 6c 6f 63 6b 71 75 6f 74 65 2d 72 65 76 65 72 73 65 2c 62 6c 6f 63 6b 71 75 6f 74 65 2e 70 75 6c 6c 2d 72 69 67 68 74 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 35 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 35 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 2e 62 6c 6f 63 6b 71 75 6f 74 65 2d 72 65 76 65 72 73 65 20 66 6f 6f 74 65 72 3a 62 65 66 6f 72 65 2c 62 6c 6f 63 6b 71 75 6f 74 65 2e 70 75 6c 6c 2d 72 69 67 68 74 20 66 6f 6f 74 65 72 3a 62 65 66 6f 72 65 2c 2e 62 6c 6f Data Ascii: lockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blo
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 69 75 73 3a 30 7d 2e 70 72 65 2d 73 63 72 6f 6c 6c 61 62 6c 65 7b 6d 61 78 2d 68 65 69 67 68 74 3a 33 34 30 70 78 3b 6f 76 65 72 66 6c 6f 77 2d 79 3a 73 63 72 6f 6c 6c 7d 2e 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 35 70 78 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 37 36 38 70 78 29 7b 2e 63 6f 6e 74 61 69 6e 65 72 7b 77 69 64 74 68 3a 37 35 30 70 78 7d 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 39 39 32 70 78 29 7b 2e 63 6f 6e 74 61 69 6e 65 72 7b 77 69 64 74 68 3a 39 37 30 70 78 7d 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 Data Ascii: ius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 74 68 3a 33 33 2e 33 33 33 33 33 33 33 33 33 33 33 33 33 33 25 7d 2e 63 6f 6c 2d 78 73 2d 33 7b 77 69 64 74 68 3a 32 35 25 7d 2e 63 6f 6c 2d 78 73 2d 32 7b 77 69 64 74 68 3a 31 36 2e 36 36 36 36 36 36 36 36 36 36 36 36 36 36 34 25 7d 2e 63 6f 6c 2d 78 73 2d 31 7b 77 69 64 74 68 3a 38 2e 33 33 33 33 33 33 33 33 33 33 33 33 33 33 32 25 7d 2e 63 6f 6c 2d 78 73 2d 70 75 6c 6c 2d 31 32 7b 72 69 67 68 74 3a 31 30 30 25 7d 2e 63 6f 6c 2d 78 73 2d 70 75 6c 6c 2d 31 31 7b 72 69 67 68 74 3a 39 31 2e 36 36 36 36 36 36 36 36 36 36 36 36 36 36 25 7d 2e 63 6f 6c 2d 78 73 2d 70 75 6c 6c 2d 31 30 7b 72 69 67 68 74 3a 38 33 2e 33 33 33 33 33 33 33 33 33 33 33 33 33 34 25 7d 2e 63 6f 6c 2d 78 73 2d 70 75 6c 6c 2d 39 7b 72 69 67 68 74 3a 37 35 25 7d 2e 63 6f 6c 2d 78 73 2d Data Ascii: th:33.33333333333333%}.col-xs-3{width:25%}.col-xs-2{width:16.666666666666664%}.col-xs-1{width:8.333333333333332%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666666666666%}.col-xs-pull-10{right:83.33333333333334%}.col-xs-pull-9{right:75%}.col-xs-
2025-03-24 09:09:19 UTC	1369	IN	Data Raw: 74 3a 33 33 2e 33 33 33 33 33 33 33 33 33 33 33 33 33 33 25 7d 2e 63 6f 6c 2d 78 73 2d 6f 66 66 73 65 74 2d 33 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 32 35 25 7d 2e 63 6f 6c 2d 78 73 2d 6f 66 66 73 65 74 2d 32 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 36 2e 36 36 36 36 36 36 36 36 36 36 36 36 36 36 34 25 7d 2e 63 6f 6c 2d 78 73 2d 6f 66 66 73 65 74 2d 31 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 2e 33 33 33 33 33 33 33 33 33 33 33 33 33 33 32 25 7d 2e 63 6f 6c 2d 78 73 2d 6f 66 66 73 65 74 2d 30 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 37 36 38 70 78 29 7b 2e 63 6f 6c 2d 73 6d 2d 31 2c 2e 63 6f 6c 2d 73 6d 2d 32 2c 2e 63 6f 6c 2d 73 6d 2d 33 2c 2e 63 6f 6c 2d 73 6d 2d 34 2c 2e 63 6f 6c 2d 73 6d 2d Data Ascii: t:33.33333333333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.666666666666664%}.col-xs-offset-1{margin-left:8.333333333333332%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49732	72.167.252.76	443	2548	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-24 09:09:20 UTC	587	OUT	GET /favicon.ico HTTP/1.1 Host: popunder.bid Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://popunder.bid/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-24 09:09:20 UTC	164	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Mar 2025 09:09:20 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1
2025-03-24 09:09:20 UTC	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 3772, Parent PID: 3472

Function Logs

General

Target ID:	1
Start time:	05:09:07
Start date:	24/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

COM Activities

WMI Operations

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 2548, Parent PID: 3772

Function Logs

General

Target ID:	2
Start time:	05:09:09
Start date:	24/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2056,i,1636166008410916481,985019589278040204,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3
Imagebase:	0x7ff62fc20000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6904, Parent PID: 3472

Function Logs

General

Target ID:	4
Start time:	05:09:16
Start date:	24/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://xml-v4.srvqck9.com"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://xml-v4.srvqck9.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 51

Chrome Cache Entry: 52

Chrome Cache Entry: 53

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 3772, Parent PID: 3472

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Windows Analysis Report
http://xml-v4.srvqck9.com